"Launching a recall is the right step to protect Fiat Chrysler’s customers and it sets an important precedent for how NHTSA and the industry will respond to cyber security vulnerabilities," said National Highway Safety and Transportation Administration (NHTSA) administrator Mark Rosekind.
Cyber security is garnering more attention as automakers slowly turn their vehicles into connected, rolling smartphones that provide Internet access and other features.
"In the next few years we'll see widespread deployment of vehicles that can communicate with one another," says Tom Lehner, vice president of public policy at the Motor & Equipment Manufacturers Association (MEMA). "Corresponding policy questions are going to arise out of that, from mundane things like what section of the spectrum do they communicate on, to issues around privacy and security."
In fact, two Senators have introduced legislation to require improved cyber security in connected vehicles via federal standards. Sen. Edward Markey (D-Mass.) and Sen. Richard Blumenthal (D-Conn.) drafted their legislation, in part, based on a report Markey released last year outlining the risks of Bluetooth and wireless Internet connectivity in vehicles.
The Security and Privacy in Your Car (SPY Car) Act calls for NHTSA and Federal Trade Commission to develop cyber security and privacy standards.
“Drivers shouldn’t have to choose between being connected and being protected,” Markey said in a statement. “We need clear rules of the road that protect cars from hackers and American families from data trackers. This legislation will set minimum standards and transparency rules to protect the data, security and privacy of drivers in the modern age of increasingly connected vehicles. I look forward to working with Senator Blumenthal to ensure auto safety and security in the 21st century.”
Lehner says that a legislative approach won't solve the problem. "The technology is changing faster than the law," Lehner says. "The evolution of technology happens quickly, and the route of legislation is not going to be the most effective way to combat these things moving forward. The best response is going to be industry led."
In the Wired article, hackers were able to remotely connect to a 2014 Jeep Cherokee via its Uconnect infotainment system while it was on the road. According to the story, the security experts involved in the test were able to disable the engine, locks, radio, air conditioning, and other functions. The hackers were able to send images to the digital display in the vehicle, turn on the windshield wipers, and ultimately disable the transmission while the Jeep was on the freeway.
The two security experts orchestrating the hack were working from a laptop ten miles away, but the code they have devices could be used from any distance. According to the Wired article, they were able to scan for and locate vulnerable vehicles using a cell phone link to the Sprint wireless network. Potentially, the hackers could take control of a vehicle thousands of miles away.
The Wired hack was staged for the story. Fiat Chrysler has since stated that there has not been a documented incident of this happening outside of that test. The automaker also claimed in a blog that the company has created network-level security to prevent that type of hack.
In the meantime, the company is updating the software in the vehicles via a USB drive that can be used by customers to download the patch.
The Senate legislation includes a rating system that would tell consumers how secure their vehicles are based on federal requirements. According to Markey's earlier report, only two of 16 automakers currently have the ability to detect and respond to the types of attacks described in the Wired piece.
There have been other vehicle hacking incidents and tests in the past, but nothing quite as dramatic as the Jeep demonstration. BMW previously had to patch a software issue that would have allowed hackers to open the doors on 2.2 million of its vehicles. Similar vulnerabilities have been found in other makes and models as well.
Lehner agrees that OEMs will need to address both privacy and security concerns. "One thing the industry is desperate for are people that can write the kind of code they need to secure these systems," Lehner says. "There's s a recognition in the industry that people with those skills, who are typically in Silicon Valley, need to be put to work in the auto industry."
Automakers announced an Auto ISAC (information sharing and analysis center) earlier this summer that will serve as a central hub for intelligence and analysis related to cyber threat information related to automotive electronics and in-vehicle networks. The Alliance of Automobile Manufacturers and the Association of Global Automakers presented the idea at the Cyber Auto Challenge in July.
"That's a more robust and realistic response than trying to pass a law," Lehner says.
