Senators want law to protect vehicles from hacking

David Shepardson
Detroit News Washington Bureau

Two senators unveiled legislation Wednesday to force the National Highway Traffic Safety Administration and the Federal Trade Commission to set rules protecting driver security and privacy.

Sens. Ed Markey, D-Mass., and Richard Blumenthal, D-Conn., proposed the bill after Markey released a report Sunday that raised concerns about vehicles being hacked.

Markey’s report said millions of cars and trucks are vulnerable to hacking through wireless technologies that could jeopardize driver safety and privacy.

As vehicles grow increasingly connected through wireless networks and become more dependent on sophisticated electronic systems, Congress and federal regulators are worried about the potential for hackers to interfere with vehicle functions. The report says vehicles are vulnerable to hacking through wireless networks, smartphones, infotainment systems like OnStar — even a malicious CD popped into a car stereo.

“We need the electronic equivalent of seat belts and airbags to keep drivers and their information safe in the 21st century,” Markey said. “There are currently no rules of the road for how to protect driver and passenger data, and most customers don’t even know that their information is being collected and sent to third parties. These new requirements will include a set of minimum standards to protect driver security and privacy in every new vehicle. I look forward to working with my Senate colleagues to advance this important consumer protection legislation.”

Blumenthal said automakers need to do more.

“Connected cars represent tremendous social and economic promise, but in the rush to roll out the next big thing automakers have left the doors unlocked to would-be cybercriminals,” Blumenthal said. “This common-sense legislation would ensure that drivers can trust the convenience of wireless technology, without having to fear incursions on their safety or privacy by hackers and criminals.”

The bill would require that all wireless access points in the car are protected against hacking attacks, evaluated using penetration testing; all collected information is appropriately secured and encrypted to prevent unwanted access; and that automakers or third-party feature provider be able to detect, report and respond to real-time hacking events.

The legislation will also call for new cars to be evaluated by a rating system — a “cyber dashboard” — to inform consumers “about how well the vehicle protects drivers beyond those minimum standards. This information will be displayed on the label of all new vehicles — just as fuel economy is today.”

Its release comes after CBS News’ “60 Minutes” on Sunday aired a segment showing how vehicles can be subjects of remote hacking. Just last month, BMW AG said it had fixed a security flaw that could have allowed up to 2.2 million vehicles to have their doors remotely opened by hackers.

One automaker told Markey that some owners have attempted to reprogram the vehicle’s onboard computer to increase the horsepower of vehicles or torque through the use of “performance chips.”

In November, two major auto trade associations representing nearly all automakers unveiled a set of principles to protect driver privacy and security.

Wade Newton, a spokesman for the Alliance of Automobile Manufacturers — the trade group representing Detroit’s Big Three automakers, Toyota Motor Corp., Volkswagen AG and others — said he had not seen the report.

But he said automakers believe strong consumer data privacy protections and strong vehicle security are essential.

“Auto engineers incorporate security solutions into vehicles from the very first stages of design and production — and security testing never stops.

“The industry is in the early stages of establishing a voluntary automobile industry sector information sharing and analysis center — or other comparable program — for collecting and sharing information about existing or potential cyber-related threats.”

Automakers noted that the Society of Automotive Engineers has created a Vehicle Electrical System Security Committee to draft standards that help ensure electronic control system safety.

NHTSA spokesman Gordon Trowbridge said Sunday the agency is “engaged in an intensive effort to determine potential security vulnerabilities related to new technologies and will work to ensure that manufacturers cooperate and address issues in order to keep motorists safe.”