Our Editorial: Keep remote vehicle hackers at bay

The Detroit News

Imagine cars being remotely controlled by malicious hackers, starting and stopping engines against the will of drivers, wreaking havoc on the highways. It’s somewhat of a doomsday scenario, but all too possible, as the recent real-world hacking test of a 2014 Jeep Cherokee proved.

Fiat Chrysler Automotive announced Friday it is recalling more than one million Jeep Cherokees in the wake of this recent successful real-world hacking attempt. It’s the right move for the company, and sets a good example for the rest of the automotive industry to follow.

Most vehicles today — from entertainment options to navigation tools and drive-train — are built on computer and Internet systems that collect and share personal data. These wireless capabilities make them increasingly vulnerable to remote hacking, as well as privacy intrusions, that threaten the safety of drivers, passengers, and even bystanders.

It’s a significant challenge for the auto industry, but one it has known was coming. Detroit automakers need to lead in vehicle and consumer safety by equipping vehicles with the best possible cybersecurity protection, and manufacturers should have the chance to first address these evolving threats before new regulations are created.

The recent successful hacking test involved a system called UConnect, which one of the hackers estimates is in about 471,000 vehicles worldwide, though FCA US wouldn’t confirm the number. But the majority of vehicles being sold today can be hacked into.

Recently, Jaguar Land Rover announced a recall for 65,000 Range Rovers for a glitch that causes keyless vehicles to spontaneously unlock. And in January, BMW AG announced it fixed a flaw that would have allowed up to 2.2 million vehicles have their doors remotely opened by hackers.

Automotive manufacturers should pursue state-of-the-art protections against these threats, and some of them are. Protections could could include new designs to reduce attack points, third-party testing, internal monitoring systems, segmenting architecture to minimize damage if successfully hacked, and Internet-enabled security software updates, like those smartphones use. That’s according to a group called I am the Cavalry that focuses on public safety in emerging areas of technology.

Ford Motor Co. has already taken the lead on at least one of those recommendations by switching to over-the-air updates powered by Wi-Fi to keep car systems current.

Cadillac recently hired a chief product cybersecurity officer, and some automakers have voluntarily submitted privacy guidelines to the FTC.

Sens. Richard Blumenthal, D-Conn., and Edward Markey, D-Mass., have introduced legislation that requires federal standards to prevent hacking and establishes a rating system to inform consumers about how well the vehicle protects drivers’ security and privacy.

But it’s premature to pass federal regulations when the scope of the problem is still evolving. Auto manufacturers deserve a chance to fix these problems on their own, and they have considerable motivation to do so.

Lawmakers must also realize the limitations of NHTSA in enforcing laws that will quickly be out of date compared to rapidly changing technology and hacking techniquess.

Rather than impose regulations on the auto industry prematurely, the federal government should first help manufacturers identify and respond to the latest threats and work to solve the growing problem.