Two U.S. senators are proposing the SPY Car Act of 2015 to create privacy standards for computer systems that control today’s generation of electronics-heavy vehicles just as a Wired.com contributor reports hackers who set him up in a new vehicle were able to take over its controls while he was driving at 70 mph.
“As the two hackers remotely toyed with the air-conditioning, radio and windshield wipers, I mentally congratulated myself on my courage under pressure,” wrote Andy Greenberg at Wired in an article headlined “Hackers remotely kill a Jeep on the highway.”
Suddenly, his vehicle slowed to a crawl, an 18-wheeler was approaching from behind and “the experiment had ceased to be fun,” he wrote.
The solution may be coming in the form of the SPY Car Act of 2015, introduced by Sens. Edward Markey, D-Mass., and Richard Blumenthal, D-Conn., to “establish cybersecurity and privacy requirements for new passenger vehicles. And inform consumers about the risks of remote hacking.”
Privacy advocates have warned since 2011 to avoid in-car tracking and other computer devices. Marc Rotenberg of the Electronic Privacy Information Center wrote back then that data from embedded “black boxes” in vehicles could provide unwanted information to state agencies.
Later, the systems were upgraded, connecting vehicles to the Internet.
Greenberg explained that it is the industry’s Uconnect that is prompting questions.
It’s an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs and trucks that controls the vehicles entertainment and navigation, enables phone calls and provides a Wi-Fi hot spot.
Greenberg noted the cell connection also “lets anyone who knows the car’s IP address gain access from anywhere in the country.”
The hackers with whom he was working, he said, have “only tested their full set of physical hacks, including targeting transmission and braking systems, on a Jeep Cherokee, though they believe that most of their attacks could be tweaked to work on any Chrysler vehicle with the vulnerable Uconnect head unit.”
The SPY Car Act, or the Security and Privacy in Your Car Act of 2015, would require new cars to meet cybersecurity standards.
“All entry points to the electronic systems of each motor vehicle manufactured for sale in the United States shall be equipped with reasonable measures to protect against hacking attacks,” it states.
And it requires any motor vehicle “that presents an entry point shall be equipped with capabilities to immediately detect, report and stop attempts to intercept driving data or control the vehicle.”
The requirements would include a “cyber dashboard” that would inform consumers “about the extent to which the motor vehicle protects the cybersecurity and privacy of motor vehicle owners, lessees, drivers and passengers beyond the minimum requirements set forth” in the law.
It also provides for the privacy of information collected by any monitor on the vehicle installed by the manufacturer.
EPIC reports the legislative proposal followed a report from Markey that evaluated how auto companies are handling the security of the electronics systems in their vehicles.
The organization has written extensively about the “Internet of Things,” explaining how various technologies communicate with each other through systems such as IPv6, RFID, Wi-Fi and GPS in appliances, smartphones, wearable computers and other devices.
“The ubiquity of connected devices would enable [the] collection of data about sensitive behavior patterns, which could be used in unauthorized ways or by unauthorized individuals,” EPIC said.
With “340 trillion trillion trillion” Internet Protocol addresses available, there’s no problem with assigning each vehicle one, the article explained.
In his experiment, Greenberg said hackers Charlie Miller and Chris Valasek were able to break into software in the entertainment system and control the “dashboard functions, steering, brakes and transmission, all from a laptop that may be across the country.”
He reported the hackers plan to reveal at a coming conference the details of their work, including how they are able to “cut the Jeeps brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch.”
Then they plan to publish the code that will “enable many of the dashboard hijinks they demonstrated on me,” he wrote.
They’ve also been working with Chrysler, which now has released a program “to continuously test vehicles systems to identify vulnerabilities and develop solutions,” the company reported.
The company also said, Greenberg reported, “We appreciate the contributions of cybersecurity advocates to augment the industry’s understanding of potential vulnerabilities. However, we caution advocates that in the pursuit of improved public safety they not, in fact, compromise public safety.”
Miller said consumers should start complaining to carmakers.
“This might be the kind of software bug most likely to kill someone,” he said.
They estimate nearly half-a-million vehicles today are vulnerable.