By Danny Restivo (Posted 5/3/17)
A few months ago, we looked at the legislative developments surrounding driverless vehicles–something that nearly all 50 states are thinking about. As driverless vehicles become reality and states continue to grapple with regulatory challenges, more threats have emerged, including the ability for hackers to take control of someone’s car whether they’re driving it or the car drives itself.
Recent technological developments have allowed drivers greater accessibility and convenience than ever before. Whether it’s a WiFi hotspot, a mobile car starter application, a locator connected to your phone or a computer located under the hood that monitors maintenance, new technology has given consumers and technicians a level of sophistication that was once the work of science fiction.
Unfortunately, a greater degree of convenience means an increased level of vulnerability. In August 2015, two hackers compromised a tech reporters’ vehicle on the highway (The Wired reporter was working on a story about the dangers of car hacking and was aware of their attempts). From a remote location, the two hacked into the reporter’s 2014 Jeep Cherokee and controlled the vehicles steering and brakes from a computer more than 10 miles away. Ultimately, the reporter’s car ended up in a ditch (no one was injured). The story grabbed public attention and Fiat Chrysler recalled more than 1.4 million vehicles, including Ram, Dodge, Jeep and Chrysler vehicles. A similar organized hack occurred in June 2016 when a British security firm purchased a 2017 Mitsubishi Outlander and successfully disabled the vehicles alarm system. Nissan, Tesla and Chevy have all experienced similar breaches in their vehicles computer systems.
The hacks underscore a growing concern among regulators and legislators that automakers haven’t safely created communication systems. In light of these security vulnerabilities, the FBI, The Department of Transportation and the National Highway Traffic Safety Administration issued a public service announcement in March 2016.
“While not all hacking incidents may result in a risk to safety – such as an attacker taking control of a vehicle – it is important that consumers take appropriate steps to minimize risk,” the statement said. “Therefore, the FBI and NHTSA are warning the general public and manufacturers – of vehicles, vehicle components, and aftermarket devices – to maintain awareness of potential issues and cybersecurity threats related to connected vehicle technologies in modern vehicles.”
They added: “Vulnerabilities stemming from wireless communication, such as a cellular phone or tablet connected to the vehicle via USB, Bluetooth, or Wi-Fi, can put drivers at significant risk,” the statement also included several best practices for minimizing cybersecurity risks:
- Ensure vehicle software is up to date
- Be aware of making any modifications to vehicle software
- Exercise discretion when connecting third party devices to a vehicle
- Be aware of who has physical access to your vehicle
If you end up a victim of a car hack:
- Check for outstanding vehicle recalls or vehicle software updates
- Contact the manufacturer or authorized dealer
- Contact the National Highway Transportation Safety Administration
- Contact the FBI
The NHTSA and the FBI also suggested that automakers and auto companies should consider the full life cycle of their vehicles, while creating a rapid response and recovery system to help stem cybersecurity incidents. With the introduction of autonomous driving technology by companies like Tesla Motors, Uber, and others, yet another layer of vulnerability has complicated the issue. In September 2016, the NHTSA issued a framework for states to regulate self-driving cars, but critics fault it for its lack of focus on car hacking. A 2016 report from the Government Accountability Office, an independent watchdog organization, said the Department of Transportation had not taken enough steps to help prevent car hacking.
“Until [DOT] develops such a plan … the agency’s response efforts could be slowed as agency staff may not be able to quickly identify the appropriate actions to take,” the report stated.
Shortly after hackers showcased their ability on a 2014 Jeep Cherokee, Senators Ed Markey (D-Mass) and Richard Blumenthal (D-Conn) introduced the SPY Act of 2015 (Security and Privacy in Your Car). The proposed legislation would have created a uniform regulatory standard for vehicle communication, while protecting a driver’s privacy data. The bill would also have created a “cyber dashboard” to inform the public of how well the vehicle protects drivers’ security and privacy. While Markey and Blumenthal’s legislation did not make it out of committee during the 114th Congress, they recently reintroduced the SPY Act legislation in March as S. 680, along with a reintroduction of the Cybersecurity Standards for Aircraft to Improve Resilience (Cyber Air) Act (as S. 679 in the 115th Congress).
“This critical legislation will help protect the public against cybercriminals who exploit advances in technology like wireless-connected aircraft and self-driving cars,” said Blumenthal in a release following the reintroduction. “As technology rapidly advances, we must ensure that auto and airline industries protect their systems from cybersecurity attacks. Security and safety cannot be sacrificed as we achieve convenience and promise of wireless progress.”
Markey and Blumenthal cited a need to reintroduce the legislation because of an increased vulnerability in our transportation systems. After Uber unveiled plans to use driverless cars in Pittsburgh in September, the National Highway Transportation Safety Administration unveiled a federal framework for the technology to prosper, giving states a significant degree of sovereignty. However, some believe the NHTSA’s mandate didn’t go far enough in solving technological vulnerabilities in vehicles. Conversely, tech researchers and developers fear any federal regulatory framework will not ensure safety because cyber technology often outpaces the law, making hacks more accessible.
In a bipartisan effort, the House introduced a new piece of legislation to help safeguard drivers. Representatives Ted Lieu (D-CA) and Joe Wilson (R-SC) have cosponsored the Security and Privacy in Your Car Study Act of 2017. Compared to the senate bill, the House bill would only perform a study of best practices.
While federal lawmakers debate the best path forward, some states have taken their own steps to improve cybersecurity in vehicles. In Michigan, home of the American auto industry, state lawmakers have decided to use deterrence as a weapon against car hacking. In August, the state senate unanimously passed a law that would increase the penalty to life in prison if the interference of a vehicle’s computer system resulted in death. According to state law, there’s a 10-year sentence and $50,000 fine for anyone who tampers with the computer system of a driverless vehicle that results in injury.
Virginia Governor Terry McAuliffe announced a public-private commission in May 2015 to help protect state troopers against cyberattacks. Just prior to the announcement, The Old Dominion became the first state to create its own information and analysis sharing organization to help prevent against cyber-attacks. As part of its public safety initiative, researchers hacked into two Virginia State Trooper vehicles; a 2012 Chevrolet Impala and a 2013 Ford Taurus. Researchers from the University of Virginia and a few private tech companies, hacked into the vehicles control system before meddling with the gear shift, instrument panel, car locks, trunk and accessing the vehicles Bluetooth and key fob. While the organized hack was an attempt to raise awareness about the seriousness of car hacking, Governor McAuliffe continued a call for voluntary partnership between private and public entities in an effort to prevent car hacks.
While Michigan and Virginia pursue preventative action against car hacking, many state legislative bodies have tabled the issue. Every state has some sort of law on computer hacking, but none (besides Michigan) have laws that specifically deal with hacking vehicles. Meanwhile, New York University, University of Nevada, North Dakota State University, and others, have taken steps in research and development to create cybersecurity systems for self-driving cars. Furthermore, The Oak Ridge National Laboratory in Tennessee has begun experimenting with electronic control systems to help protect the federal government’s automotive fleet.
“Car hacking remains a significant issue for automakers and regulators, but it hasn’t spurned the federal government into action, just yet” says Brett Goldman, DMGS Manager of Special Projects. He adds that “it’s safe to say that at some point in the future, car hacking will receive greater public scrutiny, but whether that comes as an issue of legislative and regulatory foresight or as a reactionary measure to the unthinkable remains to be seen.”