Democratic Senators Ed Markey and Richard Blumenthal introduced on Tuesday new legislation, which would require automakers to adhere to certain standards of protection against privacy and hacking. The new bill, entitled the SPY Car Act, would call on the Federal Trade Commission (FTC) and the National Highway Traffic Safety Administration (NHTSA) to collaborate in developing the new standards for cars sold in the U.S. “All entry points to the electronic systems of each motor vehicle manufactured for sale in the United States shall be equipped with reasonable measures to protect against hacking attacks,” read the bill. In addition to the cybersecurity measures, the legislation proposed privacy standards, requiring drivers to be notified of “the collection, transmission, retention, and use of driving data” collected from the vehicle. “Drivers shouldn’t have to choose between being connected and being protected,” Massachusetts Senator Markey said in a statement.
“Controlled demonstrations show how frightening it would be to have a hacker take over controls of a car. We need clear rules of the road that protect cars from hackers and American families from data trackers,” he said.
Ken Westin, Senior Security Analyst at Tripwire, explains that a number of security researchers have identified vulnerabilities in vehicles over the past several years. “Although often times the hacks required physical access to or tampering with the vehicle’s firmware and installing additional gizmos manually, they have identified a number of real risks,” he said.
“The bills that Ed Markey and Richard Blumenthal are proposing are a drop in the bucket, which will provide some standards for car manufacturers, but what also needs to happen is for car manufacturers to continually invest in security and identify risk, particularly when introducing new features, as well as provide open channels of communication with security researchers to report vulnerabilities they identify.”
Westin adds that car manufacturers also have a challenge with how they update vehicle firmware when a security hole needs to be patched. “Opening the vehicle up to a remote download would increase the risks, so it will be more likely that updates will need to be done at the dealership,” said Westin. This could then raise another potential risk of improperly trained technicians and potentially malicious mechanics, Westin concludes.
