Senators want answers on auto cyberhacking

David Shepardson
Detroit News Washington Bureau

Washington — Two senators are pressing automakers to answer questions about cybersecurity issues in the wake of the industry’s first ever recalls for hacking risks.

Sens. Ed Markey, D-Mass., and Richard Blumenthal, D-Conn., sent expanded questions to 18 automakers asking for an update to the information on each “company’s protections against the threat of cyberattacks or unwarranted invasions of privacy related to the integration of electronic systems into and within automobiles.”

They also want automakers to disclose “any changes to their vehicle fleet or characteristics, policies, practices and experiences that may have occurred since the company first responded to Senator Markey’s original letter” in 2013.

The Alliance of Automobile Manufactuers — the trade group representing Detroit's Big Three automakers, Toyota Motor Corp., Volkswagen AG and others --said the industry is responding.

"Advanced computing and connectivity are critical components of vehicle safety systems, and they are also critical to innovative technologies that provide societal benefits such as reduced traffic congestion and decreased environmental footprints. The auto industry is working to keep pace with the dynamic nature of cyber threats by incorporating security by design, developing internal expertise, and cultivating procedural and operational partnerships with organizations specializing in cyber defense,"Alliance spokesman wade Newton said. "By year's end the industry expects to establish an Auto industry Information Sharing and Analysis Center (ISAC) facilitating the exchange of important threat information -- and countermeasures -- in real time."

The group said "auto manufacturers have instituted industry-leading Privacy Principles to protect" drivers.

In July, the senators urged the National Highway Traffic Safety Administration to take "immediate action" to investigate the potential widespread risk of vehicle hacking, as they introduced legislation that would force the safety agency to set new rules to guard against the threat.

“As vehicles become increasingly connected to the Internet and to one another through advanced features and services, we continue to see how these technologies present vulnerabilities that can compromise the safety and privacy of drivers and passengers,” wrote Markey and Blumenthal. “We have specifically learned how third parties can access the electronic controls and data of vehicles from many different entry points, including wireless connections, and we appreciate that many automotive companies have begun to take concrete steps to close these security gaps.”

Markey and Blumenthal sent letters to Aston Martin, BMW North America, Fiat Chrysler, Ford Motor Co, General Motors Co, American Honda Motor Co., Hyundai Motors North America, Jaguar Land Rover North America, Lamborghini, Mazda North America, Mercedes Benz USA, Mitsubishi, Nissan North America, Porsche, Subaru Motors America, Tesla, Toyota North America, Volkswagen Group of America (with Audi), and Volvo.

In September, Fiat Chrysler Automobiles NV said it would recall 7,810 U.S.-market SUVs equipped with certain radios to address hacking concerns. The automaker in July called back 1.4 million vehicles for similar but different concerns about hacking.

The new recall covers some 2015 Jeep Renegades equipped with 6.5-inch touchscreens. Customers will receive a USB device that they may use to upgrade vehicle software. The upgrade provides additional security features.

"The campaign — which involves radios that differ from those implicated in another, similar recall — is designed to protect connected vehicles from remote manipulation. If unauthorized, such interference constitutes a criminal act," the company said.

The software manipulation addressed by the latest recall required unique and extensive technical knowledge, prolonged physical access to a vehicle and extended periods of time to write code, the automaker said.

FCA US said it already has applied measures to prevent the type of vehicle manipulation demonstrated in a Wired magazine report in July, which found hackers could remotely take control of some functions of 2014 Jeep Cherokee, including steering, transmission and brakes. Those measures — which required no customer or dealer actions — block remote access to certain vehicle systems. A software update also was required for affected Jeeps, Chryslers, Dodges and Rams.

The company said it is unaware of any injuries related to software exploitation, nor is it aware of any related complaints, warranty claims or accidents outside of the Wired demonstration.

After the first recall in July, Transportation Secretary Anthony Foxx said automakers and government must work closely together on cyberhacking issues.

Two major auto trade associations — the Alliance of Automobile Manufacturers and Association of Global Automakers — say they will develop a voluntary group called the Information Sharing and Analysis Center. It will serve as a hub for sharing cyber-threat information and potential vulnerabilities. The groups said they expect it to begin operations by the end of 2015.

NHTSA chief Mark Rosekind has urged the automakers to move faster.