Not coincidentally, on July 21, 2015, Wired Magazine published an article with groundbreaking evidence of hacking a car wirelessly, and Senators Edward Markey (D-Mass.) and Richard Blumenthal (D-Conn.) introduced legislation that would direct the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish federal standards to secure cars and protect drivers’ privacy. The cleverly named Security and Privacy in Your Car (SPY Car) Act, which can be found here, also establishes a cyber-dashboard that provides ratings and informs consumers about how well the vehicle protects drivers’ privacy and security beyond the minimum standards in the legislation.
Impact to Businesses
These developments demonstrate the continually increasing privacy and security risks that confront all businesses in today’s interconnected world. These lessons from the connected car industry should be taken to heart by all companies given the recent and future explosion of information and connectivity available through the Internet – from will the Internet of Things (connected health and fitness devices, thermostats, refrigerators and televisions) to companies using cloud-based service providers to store and maintain sensitive and confidential business information and personal information about consumers and employees.
The Hijacked Jeep
Wired reporter Andy Greenberg, who has reported previously on successful car hacking efforts, was behind the wheel of a Jeep Cherokee driving 70 mph on Interstate 64 outside of St. Louis when out of nowhere the AC started blasting cold air at the maximum setting, the radio switch to the local hip-hop station and was turned up to full volume, the windshield wipers turned on, and wiper fluid blurred the glass. Mr. Greenberg was unable to turn down the music or override the other remotely controlled events. A picture of the two hackers – Charlie Miller and Chris Valasek – then appeared on the card’s digital display.
While the hack was not a surprise to Mr. Greenberg, he was unaware what tricks the hackers would pull and the “grand finale” was yet to come – the accelerator stopped working. Mr. Greenberg press the accelerator and although the RPMs climbed the Jeep continued to lose speed as it slowed to a crawl. Being on an overpass with no shoulder, Mr. Greenberg started to worry when he saw an 18-wheeler bearing down on him from behind. The other capabilities available to the hackers include the ability to kill the engine completely at lower speeds; disable and engage the brakes; and surveillance, by tracking the car’s GPS coordinates, measuring its speed and dropping pins on a map to trace its route.
While all ended well, even this staged event shows the significant safety risks when cars can be hacked. The hackers estimate there are approximately 471,000 hackable automobiles. Two years earlier the same hackers hacked two other cars which Mr. Greenberg was driving, but had their computer hard wired into the vehicle’s onboard diagnostic port. This time the attack was wirelessly over the Internet. Chrysler issued a security patch on July 16, 2015 to remedy the vulnerability.
The SPY Car Act
Last year, Senator Markey released the report Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk, which detailed major deficiencies in how car manufacturers are incorporating security into connected cars. The report noted that only two of the 16 car companies had developed any capability to detect and respond to a hacking attack in real time and, and most consumers do not know that their information is being collected and shared with third parties.
“Drivers shouldn’t have to choose between being connected and being protected,” said Senator Markey. “We need clear rules of the road that protect cars from hackers and American families from data trackers. This legislation will set minimum standards and transparency rules to protect the data, security and privacy of drivers in the modern age of increasingly connected vehicles. I look forward to working with Senator Blumenthal to ensure auto safety and security in the 21st century.”
The two Jeep hackers – Chris Valasek and Charlie Miller – commented on the legislation “We feel that as cars become more connected, software security becomes more important. In addition to robust, well-tested software, technology for monitoring, logging, detecting, and possibly stopping attacks should also be implemented.”
The SPY Car Act includes the privacy and security provisions, as well as the establishment of a rating system, or “cyber dashboard.”
The legislation would require the FTC, in consultation with NHTSA, to develop privacy standards on the data collected by cars:
- Transparency. Owners are made explicitly aware of collection, transmission, retention, and use of driving data.
- Consumer choice. Owners are able to opt out of data collection and retention without losing access to key navigation or other features (when technically feasible), except for in the case of electronic data recorders or other safety or regulatory systems.
- Marketing prohibition. Personal driving information may not be used for advertising or marketing purposes without the owner clearly opting in.
Similarly, the NHTSA, in consultation with the FTC, would develop standards to prevent hacking into vehicle controls systems:
- Hacking protection. All access points in the car must be equipped with reasonable measures to protect against hacking attacks, including isolation of critical software systems and evaluation using best security practices, such as penetration testing.
- Data security. All collected information must be secured to prevent unwanted access—while stored on-board, in transit, and stored off-board.
- Hacking mitigation. The vehicle must be equipped with technology that can detect, report and stop hacking attempts in real-time.
Finally, the NHTSA, in consultation with FTC, would establish a “cyber dashboard” that displays an evaluation of how well each automobile protects both the security and privacy of vehicle owners beyond those minimum standards. This information would be presented in a transparent, consumer-friendly form on the window sticker of all new vehicles.
The SPY Car Act legislation adopts several of the privacy and security principles published by the auto manufacturing industry in its self-regulatory principles from November, 2014 – Consumer Privacy Protection Principles – Privacy Principles for Vehicle Technologies and Services.
The exponential growth of connected devices, as well as sensitive business and personal information being moved to the “cloud” requires all businesses – not just car manufacturers – to remain fully informed and diligent with respect to the evolving privacy and security risks. The Jeep hacking and introduction of the SPY Car Act are examples of how the research community, privacy advocates, the media and politicians will continue to assume a watchdog role, requiring companies to constantly assess and reassess privacy and security risks associated with their products, services and critical information assets.