Senators propose bill to tighten vehicle security, privacy standards

Two U.S. senators want the National Highway Traffic Safety Administration and the Federal Trade Commission to establish federal standards to secure cars and protect drivers' privacy against cyber attacks.

Two U.S. senators today filed a bill that would require the federal government to establish standards to ensure automakers secure a driver against vehicle cyber attacks.

The Security and Privacy in Your Car (SPY Car) Act, filed by Sens. Edward Markey (D-Mass.) and Richard Blumenthal (D-Conn.), also establishes a rating system -- or "cyber dashboard"-- that informs consumers about how well the vehicle protects drivers' security and privacy beyond the proposed federal minimum standards.

"Drivers shouldn't have to choose between being connected and being protected," Sen. Markey said in a statement. "We need clear rules of the road that protect cars from hackers and American families from data trackers. This legislation will set minimum standards and transparency rules to protect the data, security and privacy of drivers in the modern age of increasingly connected vehicles."

The legislation would also ban the use of personal driving information collected by automakers from vehicle computer system for advertising or marketing purposes without the owner clearly opting in.

The bill follows a report released by Markey last year -- The Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk -- that called out major gaps in the auto industry's efforts to secure cars from hackers who can take advantage of cellular or Wi-Fi-connected cars.

For example, the report states that only two of the 16 car companies had developed any capability to detect and respond to a hacking attack in real time and and most customers don't even know that their information is being collected and sent to third parties.

"Nearly 100% of vehicles on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions," the report said.

Last year, the world's 19 biggest automakers agreed to principles they say will protect driver privacy in an electronic age where in-vehicle computers collect everything from location and speed to what smartphone you use.

A 19-page letter committing to the principles was submitted to the Federal Trade Commisison from the industry's two largest trade associations: the Alliance of Automobile Manufacturers (AAM) and the Association of Global Automakers (AGA). The AAM represents Detroit's Big Three automakers -- Ford, GM and Chrysler -- along with Toyota, Volkswagen AG and others. The AGA also represents Toyota, along with Honda Motor Co., Nissan Motor Co. and Hyundai Motor Co., among others.

Carmakers already remotely collect data from their vehicles, unbeknownst to most drivers, according to Nate Cardozo, an attorney with the Electronic Frontier Foundation.

"Consumers don't know with whom that data is being shared," Cardozo said. "Take Ford Sync, for example. In its terms of service, it says it's collecting location data and call data if you use Sync to dictate emails."

Location data about drivers is continually sent to manufacturers, which allows navigation systems to update users on traffic and weather conditions and offer other services such as remote payment for parking.

Other examples of vehicle vulnerabilities include:

  • A 92-page report revealing "the 20 most hackable cars" that was presented last year  at the Black Hat security conference in Las Vegas by two industry experts.
  • A device built by a 14-year-old to wirelessly communicate with a vehicle's controller area network (CAN) and remotely control non-safety related equipment such as headlights, window wipers and the horn. (He was also able to unlock the car and engage the vehicle's remote start.) The device was publicized at the CyberAuto Challenge in Columbus, Ohio. 

At least one lawsuit has already been filed against automakers, claiming they have failed to take basic measures to secure their vehicles from hackers.

The SPY Act would address cybersecurity standards to help prevent hacking into vehicle controls systems and data security concerns to help ensure all collected information would be secured from unwanted access while stored on-board, in transit, and stored off-board.

The legislation also calls for vehicles to be equipped with technology that can detect, report and stop hacking attempts in real time. And it calls on the FTC to develop privacy standards on the data collected by vehicles, including transparency, so that owners are explicitly aware of any data collection. Owners would be able to opt out of data collection by automakers and others.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitydata privacyGapprivacy

More about AAMElectronic Frontier FoundationFTCHonda Motor Co.HyundaiHyundai Motor Co.Nissan MotorNissan Motor Co.

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucas Mearian

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place