The last place you want to be hacked is in a car that’s going 70 miles per hour down a major highway.
That nightmare scenario happened in a demonstration earlier this month that showcases critical vulnerabilities Chrysler vehicles have against clever attackers. It’s also an increasingly likely reality as hackers and researchers continue to turn their crosshairs toward new cars that are more connected to the Internet than ever before.
In response to years of criticism directed at the poor cybersecurity of automobiles, Sens. Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.) introduced new legislation on Tuesday called the Security and Privacy in Your Car (SPY Car) Act, which directs the National Highway Traffic Safety Administration and the Federal Trade Commission to draft new digital-security standards to protect drivers from hackers who could take over drivers’ cars or invade their privacy.
“Drivers shouldn’t have to choose between being connected and being protected,” Markey said in a statement. “We need clear rules of the road that protect cars from hackers and American families from data trackers. This legislation will set minimum standards and transparency rules to protect the data, security and privacy of drivers in the modern age of increasingly connected vehicles. I look forward to working with Senator Blumenthal to ensure auto safety and security in the 21st century.”
The new legislation includes requirements that all wireless access points on Internet-connected cars are evaluated using penetration testing, something that most companies don’t currently do. Car companies will also have to secure and encrypt all collected data, another security step usually skipped by the manufacturers. Additionally, active monitoring for security breaches will be required.
To protect driver privacy, Markey and Blumenthal’s new law will require automakers to be transparent about data collection and to provide easy opt-out options. The bill also prohibits car companies from using personal driving info for advertising.
Finally, the new bill calls for the establishment of a “cyber dashboard” that displays an evaluation of how well each car protects cybersecurity and privacy beyond minimum standards. The dashboard will be openly presented on the window of all new vehicles “in a transparent, consumer-friendly form.”
You can read the new bill below:
Markey released a report in February 2015 outlining how automobile manufacturers building Internet-connected vehicles have failed to protect against hackers.
Despite Washington’s struggles with cybersecurity, the visceral and potentially fatal threat of car hacking may be enough to catalyze Congress.
I've always said Congress/public won't care about sloppy security until people start dying b/c of it. getting there. http://t.co/4wRDVqFxTu
— briankrebs (@briankrebs) July 21, 2015
“Connected cars represent tremendous social and economic promise, but in the rush to roll out the next big thing automakers have left the doors unlocked to would-be cybercriminals,” Senator Blumenthal argued in February. “This common-sense legislation would ensure that drivers can trust the convenience of wireless technology, without having to fear incursions on their safety or privacy by hackers and criminals.”
Photo via Jeff Hitchcock / flickr (CC BY 2.0) | Remix by Max Fleishman