A few years ago, the notion of hacking a car or truck over the Internet to control steering and brakes seemed like a bad plot point from CSI: Cyber. Today, the security research community has proven it to be a real possibility, and it’s one that at least two U.S. senators won’t wait to see play out with real victims.
On Tuesday morning, Sens. Ed Markey and Richard Blumenthal plan to introduce new legislation that’s designed to require cars sold in the U.S. to meet certain standards of protection against digital attacks and privacy. The legislation, as described to Wired by a Markey staffer, would call on the National Highway Safety and Transportation Administration and the Federal Trade Commission to together create new standards that automakers would be required to meet in terms of both their vehicles’ defenses from hackers and how the companies safeguard any personal information such as location records collected from the vehicles they sell.
Until now, car hacking has remained a largely theoretical threat, despite some instances when thieves have disabled cars’ door locks with wireless attacks or when a disgruntled dealership employee used a tool designed to enforce timely car payments to remotely brick more than one hundred vehicles.
But the security industry has demonstrated that vehicles’ increasing connections to the internet create new avenues for attack. Earlier Tuesday morning, in fact, Wired revealed that two security researchers have developed and plan to partially release a new attack against hundreds of thousands of Chrysler vehicles that could allow hackers to gain access to their internal networks. As part of the same demo, those researchers, Charlie Miller and Chris Valasek, also demonstrated to Wired that they could use the attack to wirelessly control the steering, brakes, and transmission of a 2014 Jeep Cherokee over the Internet. (A Markey spokesperson insists that the bill’s release wasn’t timed to Wired’s story.)
“Drivers shouldn’t have to choose between being connected and being protected,” Markey wrote in a statement shared with Wired. “Controlled demonstrations show how frightening it would be to have a hacker take over controls of a car. We need clear rules of the road that protect cars from hackers and American families from data trackers.”
Markey and Blumenthal’s bill will have three major points, according to a spokesperson’s description. First, it will require the NHTSA and the FTC to set security standards for cars, including isolating critical software systems from the rest of a vehicle’s internal network, penetration testing by security analysts, and the addition of on-board systems to detect and respond to malicious commands on the car’s network. Second, it will ask those same agencies to set privacy standards, requiring carmakers to inform people of how they collect data from vehicles they sell, letting drivers opt out of that data collection and restricting how the information can be used for marketing. And finally, it will require manufacturers to display window stickers on new cars that rank their security and privacy protections.
Automakers have gotten hints for months that legislation was in the works. In February, Markey’s office released the results of a series of questions it had sent to 20 carmakers, quizzing them on their handling of digital security and privacy. The 16 companies that responded gave answers that weren’t reassuring. Nearly all of them said their vehicles now include wireless connections like cellular service, Bluetooth and Wi-Fi–the means by which remote hacking can occur. Only seven said they used independent security testing to check their vehicles’ security. Only two said they had tools in place to stop a hacker intrusion. And an “overwhelming majority” collected location information about their customers’ vehicles, in many cases offering only ambiguous claims about encrypting the collected data.
In May, members of the House of Representatives’ Energy and Commerce Committee followed up with their own set of even more detailed questions for 17 automakers and the National Highway Safety and Transportation Administration. “While threats to vehicle technology currently appear isolated and disparate, as the technology becomes more prevalent, so too will the risks associated with it,” read the letter.
Car hacking has emerged as an increasingly crowded field of study for digital security researchers. In 2011, academic researchers from the University of Washington and the University of California, San Diego, published a study in which they remotely hijacked an unnamed sedan via its wireless connections to disable its door locks and brakes. In 2013 the same security researchers Miller and Valasek who hacked the Jeep pulled off a series of similar attacks against a Toyota Prius and a Ford Escape (also with me behind the wheel), though their laptops were wired at the time into the vehicles’ dashboards via their OBD2 ports. At the Black Hat hacker conference in August Miller and Valasek plan to reveal the full details of their latest car attack, the over-the-internet compromise of a Jeep Cherokee.
Despite that growing drum beat of warnings about digital attacks on cars, however, not everyone in the security community is so excited about legislation. Josh Corman, one of the co-founders of the security industry group I Am the Cavalry, which is focused on protecting things like medical devices and automobiles, was wary of a possible bill when he spoke with Wired about the possibility earlier this month.
Corman worried that the ensuing law could be comparable to payment card industry rules that are widely seen as outmoded and ineffective. Instead, he said he hoped the auto industry could be nudged into innovating security features on its own in the same sort of competition that currently exists for traditional safety features.
“Laws are ill-suited for a dynamic space like this,” Corman said at the time. “If this can catalyze [the industry] standing up straighter and getting a plan in place, that’s great. If it makes them less responsive in the face of new adversaries, that could be very bad.”
Whether through legislation or industry competition, however, the pressure on carmakers to protect vehicles from hackers is growing. “If consumers don’t realize this is an issue, they should, and they should start complaining to carmakers,” says Miller. “Cars should be secure.”