U.S. Senators Edward Markey (D-Mass.) and Richard Blumenthal (D-Conn.) yesterday (July 21) introduced a bill that would create an enforceable federal standard for the cybersecurity of automobiles -- an issue made more urgent by yesterday's release of a video showing two hackers remotely disabling the transmission of a Jeep Cherokee on a St. Louis freeway.
Sens. Markey and Blumenthal's Security and Privacy in Your Car (SPY Car) Act would also strengthen privacy rules governing the dissemination of driver data collected by automotive diagnostic systems, and create a rating system to educate consumers on how well vehicles provide cybersecurity and digital-privacy protections.
"Drivers shouldn't have to choose between being connected and being protected," Sen. Markey said in a press statement.
SPY Car would mandate both security ("All entry points to the electronic systems of each motor vehicle ... shall be equipped with reasonable measures to protect against hacking attacks"), privacy ("All driving data collected by the electronic systems that are built into motor vehicles shall be reasonably secured to prevent unauthorized access") and defensive measures ("Any motor vehicle that presents an entry point shall be equipped with capabilities to immediately detect, report, and stop attempts to intercept driving data or control the vehicle").
Each violation of SPY Car's provisions would penalize manufacturers $5,000, although it is unclear whether that would be per vehicle manufactured or per model. We have reached out to Sen. Markey's office for clarification and will update this piece with any answer.
Security risks related to "connected" cars have been on Sen. Markey's mind for some time. In 2013, he prodded executives of automobile companies for information about security protections on their products, basing his concerns on the results of a study funded by the Defense Advanced Research Projects Agency (DARPA). He noted that "today's cars and light trucks contain more than 50 separate electronic control units (ECUs), connected through a controller area network (CAN) or other network."
That DARPA study was conducted by Charlie Miller and Chris Valasek, the same pair of hackers who recently took over the Cherokee. Back in 2013, they had to plug a laptop into a car's dashboard to seize control; automakers subsequently insisted that no threat was posed to vehicles by wireless connections such as Bluetooth, cellular data or Wi-Fi.
Yesterday's video, in which Miller and Valasek used a laptop connected to the Sprint network to take control of an unmodified vehicle 10 miles away, should settle that question.
- Apple CarPlay FAQ: Everything You Need to Know
- Look Ma, No Hands! Volvo's Amazing New Car Tech
- Self-Driving Car Accidents Will Make Us All Safe