Vehicle Hacking Risk Requires New NHTSA Regulations: Senators

Two Senators are urging federal transportation officials to take immediate steps to protect consumers from vehicle cyberhackers, passing new legislation designed to protect against vulnerable vehicle electronic systems. 

Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.) and members of Commerce, Science and Transportation committee are calling on the National Highway Traffic Safety Administration (NHTSA) to establish federal regulations to protect vehicle data systems and consumer’s privacy.

The push for increased vehicle cyber security follows the first auto recall caused by a risk that the vehicles may be vulnerable to hacking.

The new legislation, known as the Security and Privacy in Your Car (SPY Car) Act, would establish consumer protections and a rating system, also known as the “cyber dashboard,” to inform consumers about how well protected the driver’s information is and help maintain security protections.

In a statement issued July 21, the Senators referenced a report published last year, “Tracking & hacking: Security & Privacy Gaps Put American Drivers at Risk,” which revealed wide gaps in how vehicle manufactures are failing to secure internet and connected features in cars against hackers.

Vehicle Cyber Security Recall

The SPY Act was announced in the wake of a Fiat Chrysler recall that impacts more than 1.4 million Jeep Cherokees that may be vulnerable to cyber attacks.

Two hackers revealed they were able to take control of a Jeep Cherokee SUV, accessing the vehicle through an electronic opening in the radio. This is the first vehicle recall related to cyber security.

Fiat Chrysler learned of the problem from a third party in January 2014, and began working on a fix, but did not alert owners, federal regulators, or issue a recall for another 18 months.

The NHTSA opened an investigation into the recall to determine if the vehicles face other security risks as well.

A feature in Wired magazine offered a real-world test by hacking into a Jeep Cherokee, taking over steering, transmission, brakes and controlling the air conditioner, locks and radio.

Fiat Chrysler said there were two known problems concerning the vehicles; the radio accessibility by accepting commands from external sources, and the communications port was unintentionally left open in the cellular communications network. The company said it sealed off the loophole to prevent similar attacks.

This is not the first time Chrysler has faced regulatory scrutiny concerning failure to address recall problems on vehicles. Jeep Grand Cherokee and Jeep Liberty vehicles were affected by a rear fuel tank recall which caused fires when rear-ended. The recall was linked to 51 deaths.

Earlier this week, the NHTSA fined Chrysler $105 million for failure to perform timely recalls and failure to notify regulators and consumers about defective vehicles. This is the largest fine ever levied against an auto manufacturer.

SPY Act

Consumer vehicles are increasingly becoming more connected to the internet and technology features are added for consumer enjoyment. Yet, only two of 16 car companies have developed any capability to detect cyber attacks in real time, with the ability to respond.

Under the SPY Act, the cyber dashboard would be established to determine how well the car is protected. The information collected would be secured and stored onboard to prevent transmission, and owners of vehicles would be made aware of data collection and able to opt out without losing access to important technical features.

Hacking protection will also be put into place, and personal information would be prohibited from being used for advertising and marketing uses.

“Drivers shouldn’t have to choose between being connected and being protected,” said Markey. “This legislation will set minimum standards and transparency rules to protect the data, security and privacy of drivers in the modern age of increasingly connected vehicles.”

The Senators said the SPY Act would help protect personal information as new vehicle safety and monitoring technology is introduced. The need for well-tested software and technology for detecting and preventing attacks needs to be implemented quickly.

“Rushing to roll out the next big thing, automakers have left cars unlocked to hackers and data-trackers,” said Blumenthal. “This common-sense legislation protects the public against cybercriminals who exploit exciting advances in technology like self-driving and wireless connected cars.”