Senators introduce auto cyberhacking bill

David Shepardson
Detroit News Washington Bureau

Washington — Two Democratic senators on Tuesday introduced legislation requiring federal standards to prevent hacking of the nation’s 250 million cars and trucks.

Sens. Richard Blumenthal, D-Conn., and Ed Markey, D-Mass., unveiled legislation that would direct the National Highway Traffic Safety Administration and the Federal Trade Commission to establish federal standards to secure cars and protect drivers’ privacy.

The Security and Privacy in Your Car, or SPY Act, “also establishes a rating system — or ‘cyber dashboard’ — that informs consumers about how well the vehicle protects drivers’ security and privacy beyond those minimum standards,” the authors said.

“Rushing to roll out the next big thing, automakers have left cars unlocked to hackers and data trackers,” said Blumenthal. “This common-sense legislation protects the public against cybercriminals who exploit exciting advances in technology like self-driving and wireless connected cars. Federal law must provide minimum standards and safeguards that keep hackers out of drivers’ private data lanes. Security and safety need not be sacrificed for the convenience and promise of wireless progress.”

Markey said drivers need protection. “We need clear rules of the road that protect cars from hackers and American families from data trackers. This legislation will set minimum standards and transparency rules to protect the data, security and privacy of drivers in the modern age of increasingly connected vehicles.”

In February, Markey released a report that said millions of cars and trucks are vulnerable to hacking through wireless technologies that could jeopardize driver safety and privacy.

As vehicles grow increasingly connected through wireless networks and become more dependent on sophisticated electronic systems, Congress and federal regulators are worried about the potential for hackers to interfere with vehicle functions. Vehicles are vulnerable to hacking through wireless networks, smartphones, infotainment systems like OnStar — even a malicious CD popped into a car stereo.

Earlier this year, CBS News’ “60 Minutes” aired a segment showing how vehicles can be subjects of remote hacking. In January, BMW AG said it had fixed a security flaw that could have allowed up to 2.2 million vehicles to have their doors remotely opened by hackers.

Markey cited studies showing hackers can get into the controls of some popular vehicles, “causing them to suddenly accelerate, turn, kill the brakes, activate the horn, control the headlights, and modify the speedometer and gas gauge readings. Additional concerns came from the rise of navigation and other features that record and send location or driving history information.”

Markey said some security measures used by automakers — ID numbers and radio frequencies — can be identified and rewritten or bypassed.

The “60 Minutes” segment showed a researcher with a laptop hacking into a new car — turning on windshield wipers, sounding the horn, deactivating brakes — as correspondent Lesley Stahl was unable to stop in a parking lot.

Automakers and the “60 Minutes” report note that there is no known real-world case of a car being hacked remotely. But the program notes that “security cameras have shown cars burglarized by hackers unlocking doors. You can find software to do that online for $25,” the show said.

The issue could be even more important as future vehicles communicate with one another through “vehicle to vehicle” technology to prevent crashes, but could also be at risk of hacking.

Wade Newton, a spokesman for the Alliance of Automobile Manufacturers, said automakers have concerns about the bill.

“Our fundamental concern is that the traditional regulatory approach will not be effective to counter the constantly evolving threat posed by malicious hackers,” he said. “The regulatory process is cumbersome and could effectively lock in standards or countermeasures that may quickly be circumvented by a creative hacker. The tools, techniques, procedures, actors, vulnerabilities and the technologies evolve so rapidly that traditional methodologies are often inapplicable to deploy systematically to cybersecurity issues. Such a scenario would produce inadequate and counterproductive results.”

He said that voluntary guidelines on privacy announced last week “address all of the key issues highlighted in the SPY Act and because they were voluntarily submitted by automakers to the FTC are already enforceable.”

NHTSA spokesman Gordon Trowbridge said earlier this year the agency is “engaged in an intensive effort to determine potential security vulnerabilities related to new technologies and will work to ensure that manufacturers cooperate and address issues in order to keep motorists safe.”

A 2013 federal law requires NHTSA to report to Congress on this issue. NHTSA ended its public comment period on its research efforts in December as it works to complete its report.

Markey cited a 2013 study funded by the Defense Advanced Research Projects Agency. It found researchers could tap into vehicles’ systems through a laptop connected by a cable. In initial tests on two 2010 vehicles from different automakers, they were able to do everything from causing the cars to accelerate and turn, to disabling brakes and blowing the horn.

Consumer advocates praised the bill.

“As America’s vehicles become more and more connected to the internet, and wireless vehicle to vehicle technology adds important safety to tomorrow’s cars, vital security and privacy concerns need to be addressed as well,” said Jack Gillis, Consumer Federation of America. “Senator Markey and Blumenthal’s SPY Car Act will help prevent hacking attacks and ensure personal privacy as new vehicle safety and monitoring technology is introduced.”

The standards would require automakers to ensure that all access points in the car are equipped with reasonable measures to protect against hacking attacks, including isolation of critical software systems and evaluated using best security practices. It would also require that vehicle owners are made explicitly aware of collection, transmission, retention, and use of driving data.