Two U.S. senators today filed a bill that would require the federal government to establish standards to ensure automakers secure a driver against vehicle cyber attacks.
The Security and Privacy in Your Car (SPY Car) Act, filed by Sens. Edward Markey (D-Mass.) and Richard Blumenthal (D-Conn.), also establishes a rating system -- or "cyber dashboard"-- that informs consumers about how well the vehicle protects drivers' security and privacy beyond the proposed federal minimum standards.
"Drivers shouldn't have to choose between being connected and being protected," Sen. Markey said in a statement. "We need clear rules of the road that protect cars from hackers and American families from data trackers. This legislation will set minimum standards and transparency rules to protect the data, security and privacy of drivers in the modern age of increasingly connected vehicles."
The legislation would also ban the use of personal driving information collected by automakers from vehicle computer system for advertising or marketing purposes without the owner clearly opting in.
The bill follows a report released by Markey last year -- The Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk -- that called out major gaps in the auto industry's efforts to secure cars from hackers who can take advantage of cellular or Wi-Fi-connected cars.
For example, the report states that only two of the 16 car companies had developed any capability to detect and respond to a hacking attack in real time and and most customers don't even know that their information is being collected and sent to third parties.
"Nearly 100% of vehicles on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions," the report said.
Last year, the world's 19 biggest automakers agreed to principles they say will protect driver privacy in an electronic age where in-vehicle computers collect everything from location and speed to what smartphone you use.
A 19-page letter committing to the principles was submitted to the Federal Trade Commisison from the industry's two largest trade associations: the Alliance of Automobile Manufacturers (AAM) and the Association of Global Automakers (AGA). The AAM represents Detroit's Big Three automakers -- Ford, GM and Chrysler -- along with Toyota, Volkswagen AG and others. The AGA also represents Toyota, along with Honda Motor Co., Nissan Motor Co. and Hyundai Motor Co., among others.
Carmakers already remotely collect data from their vehicles, unbeknownst to most drivers, according to Nate Cardozo, an attorney with the Electronic Frontier Foundation.
"Consumers don't know with whom that data is being shared," Cardozo said. "Take Ford Sync, for example. In its terms of service, it says it's collecting location data and call data if you use Sync to dictate emails."
Location data about drivers is continually sent to manufacturers, which allows navigation systems to update users on traffic and weather conditions and offer other services such as remote payment for parking.
Other examples of vehicle vulnerabilities include:
- A 92-page report revealing "the 20 most hackable cars" that was presented last year at the Black Hat security conference in Las Vegas by two industry experts.
- A device built by a 14-year-old to wirelessly communicate with a vehicle's controller area network (CAN) and remotely control non-safety related equipment such as headlights, window wipers and the horn. (He was also able to unlock the car and engage the vehicle's remote start.) The device was publicized at the CyberAuto Challenge in Columbus, Ohio.
At least one lawsuit has already been filed against automakers, claiming they have failed to take basic measures to secure their vehicles from hackers.
The SPY Act would address cybersecurity standards to help prevent hacking into vehicle controls systems and data security concerns to help ensure all collected information would be secured from unwanted access while stored on-board, in transit, and stored off-board.
The legislation also calls for vehicles to be equipped with technology that can detect, report and stop hacking attempts in real time. And it calls on the FTC to develop privacy standards on the data collected by vehicles, including transparency, so that owners are explicitly aware of any data collection. Owners would be able to opt out of data collection by automakers and others.