Connected car security regulation could be coming
A pair of senators want to make sure when you enter a connected car, you know how well your security and privacy are protected.
Sens. Ed Markey, D-Mass., and Richard Blumenthal, D-Conn., introduced legislation Tuesday that would put the National Highway Traffic Safety Administration and the Federal Trade Commission in charge of establishing federal standards for securing cars that connect digitally to external networks and other devices. Called the Security and Privacy in Your Car — or “SPY Car” — Act, the legislation also proposes a rating system, which it calls a cyber dashboard, to inform drivers how well their vehicle protects their security and privacy.
“Drivers shouldn’t have to choose between being connected and being protected,” Markey said in a release. “We need clear rules of the road that protect cars from hackers and American families from data trackers. This legislation will set minimum standards and transparency rules to protect the data, security and privacy of drivers in the modern age of increasingly connected vehicles.”
The body of the bill fleshes out Markey and Blumenthal’s vision for a future in which cars are in constant communication with the world around them. Under the bill, cars would need hacking protections and data security measures for any information they collect, and would need systems to help identify threats.
“Any motor vehicle that presents
an entry point shall be equipped with capabilities to
immediately detect, report, and stop attempts to intercept driving data or control the vehicle,” the SPY Car Act says.
Cars for sale on dealers’ lots would need to carry the cyber dashboard information on the window sticker, which also lists an automobile’s suggested retail price, standard features and fuel economy. The dashboard would “inform consumers,
through an easy-to-understand, standardized graphic, about the extent to which the motor vehicle protects the cybersecurity and privacy of motor vehicle
owners, lessees, drivers, and passengers beyond the
minimum requirements” proposed by the legislation.
“Rushing to roll out the next big thing, automakers have left cars unlocked to hackers and data-trackers,” Blumenthal said. “This common-sense legislation protects the public against cybercriminals who exploit exciting advances in technology like self-driving and wireless connected cars. Federal law must provide minimum standards and safeguards that keep hackers out of drivers’ private data lanes.”
Consumers might be wary of the possibility of their cars being hacked anytime soon, but just this week, a feature from Wired showed it’s already possible. The story’s author, driving a Jeep Cherokee, was hacked by two cyber experts who, in a demonstration, accessed the vehicle’s Uconnect infotainment system and rewrote its firmware to plant malicious code.
Markey addressed the security gap in modern vehicles earlier this year when he released a report and penned a letter to 20 automobile manufacturers who he said weren’t doing enough to ensure driver safety, security and privacy. Markey’s team found that nearly all cars on the market feature some kind of wireless system that could pose vulnerabilities to a cyber threat.
As of February, Markey’ report found, only two manufacturers “were able to describe any capabilities to
diagnose or meaningfully respond to an
infiltration in real-time” like the new legislation would require.