Last Friday, Fiat Chrysler announced the recall of 1.4 million vehicles to fix security vulnerabilities, further highlighting the importance of properly addressing cybersecurity issues created by the use of connected devices. The recall follows an article published last Tuesday by Wired magazine which described methods used by security researchers to remotely access a Jeep Cherokee, including attacks that disabled the car’s brakes and transmission. While Fiat Chrysler’s statement on the recall emphasized that it was not aware of any incidents where the vulnerability had been exploited, the recall demonstrates the increasing attention being paid to security vulnerabilities discovered in connected devices. The same day that the Wired article was published, Sens. Ed Markey (D-Massachusetts) and Richard Blumenthal (D-Connecticut) introduced legislation aimed at establishing federal standards for cybersecurity of connected cars and privacy of drivers’ information.
According to the Wired article, many of Fiat Chrysler’s vehicle models – including the Jeep Cherokee – use Uconnect, an Internet-connected computer feature, to offer entertainment, navigation, and communication features. The Wired article described a method by which security researchers were able to use Sprint’s cellular network, the same network used by the Uconnect feature, to wirelessly access any vulnerable vehicle nationwide through its Uconnect system. Once the researchers accessed a vehicle, they could access the car’s internal computer network and control certain physical components of the car, such as its engine and wheels. According to the article, the researchers notified Fiat Chrysler of the vulnerability nine months ago, and Fiat Chrysler responded by releasing a software patch that could be manually implemented via a USB stick or a dealership mechanic. Following the article’s release, Fiat Chrysler initiated a full safety recall of multiple affected vehicle models, mailing a USB containing the patch to each vehicle’s owner that the owner could plug into a port in the vehicle to implement the fix. The automaker has also worked with Sprint to block the methods used by the researchers to find and access vehicles wirelessly using Sprint’s network.
Last week, Sens. Ed Markey and Richard Blumenthal also introduced the SPY Car Act, designed to protect drivers from the security and privacy risks inherent in the increased use of connected cars. According to the copy of the bill released by Sen. Markey, the bill would require NHTSA, in consultation with the FTC, to develop performance standards to prevent hacking of vehicles’ control systems. These standards, which would take effect within 2 years after the final regulations are prescribed, would require manufacturers to use “reasonable measures” to protect all access points to the car, including isolation of critical software systems and evaluation using penetration testing. Manufacturers would also have to secure all collected information against unauthorized access, both at rest and in transit, and equip vehicles with “capabilities to immediately detect, report, and stop attempts to intercept driving data or control the vehicle.” In addition to these hacking protections, the bill would also require the FTC, in consultation with NHTSA, to develop privacy standards to govern the collection of data by vehicles, including increased transparency and choice for drivers and a prohibition on the use of such data for marketing purposes without express consent. Finally, the bill would also require NHTSA and the FTC to develop a “cyber dashboard” that would allow potential purchasers of new vehicles to easily evaluate how well each vehicle protects owners’ security and privacy.