A bill proposed by Senators Edward Markey, D-Mass., and Richard Blumenthal, D-Conn., would direct the National Highway Traffic Safety Administration and the Federal Trade Commission to establish rules that would secure cars against hackers and protect consumer privacy.
The proposal comes as Fiat Chrysler Automobiles offers a software patch to close a loophole that allowed two hackers to take control of a moving Jeep SUV in an incident spotlighting the vulnerability of connected autos.
“Drivers shouldn’t have to choose between being connected and being protected,” Markey said in a statement. “We need clear rules of the road that protect cars from hackers and American families from data trackers.”
The Senate bill would create a rating system to tell consumers how secure their vehicles are beyond any minimum federal requirements.
Markey released a report last year on gaps in car security systems, concluding that only two of 16 auto companies had the ability to detect and respond to a hacking attack. Fiat Chrysler said in a statement that it’s not aware of any real-world unauthorized remote hack into any of its vehicles.
FCA said that “after becoming aware of the vulnerabilities in some 2013 and 2014 vehicles equipped with the 8.4-inch touchscreen systems, FCA and several suppliers worked to fix the vulnerabilities in model year 2015 vehicles.”
As light vehicles become rolling smartphones, loaded with streaming music and apps, they open themselves to the viral and criminal threats that target PCs and credit card databases.
A since-closed flaw disclosed in January would let hackers open doors on 2.2 million BMW AG vehicles. The programmers who took over the Jeep listed vulnerabilities last year in 19 other models.
“This is a very big wake-up call for the industry that shows they have a weakness,” said Egil Juliussen, director of research for consultant IHS’s automotive technology group. “They are worried about it and thinking about what they need to do, but it will be awhile before cars are safe from a hacking attack.”
By 2022, 82.5 million autos worldwide will be connected to the Internet, more than three times the 26.5 million connected cars this year, according to IHS. In seven years, 78 percent of the cars sold globally will be connected, up from 30 percent now, the consulting firm said.
The auto industry’s two biggest trade groups, the Alliance of Automobile Manufacturers. The Association of Global Automakers, said on July 14 that they would form an information- sharing and analysis center by the end of the year to collaborate against emerging hacking threats.
Automakers are starting to deploy anti-hacking software, but the defenses are not strong yet, said Juliussen, the IHS research director.
“Four or five years ago, there was nothing” protecting cars from hackers, he said. “Today, the automakers are starting to put things in place, but there’s still a long way to go.”
Cars are not as rich a target as banks and retailers which have credit card information and Social Security data that hackers can use to make money. Because the vehicles lack such personal data, the auto industry probably won’t face a concerted threat yet from hackers, Juliussen said.
“There aren’t many ways to earn money from hacking a car,” he said. “You could wreak havoc with traffic flow or cyber warfare, but that’s not the sort of thing an average hacker would do.”
Automakers need to establish a firewall between a vehicle’s entertainment system and mechanical functions such as the engine and brakes, said Thilo Koslowski, vice president of the auto practice at Gartner Inc. The Jeep hackers got in through the SUV’s Uconnect infotainment system.
The Jeep hack shouldn’t cause consumers or automakers to pull back from connected cars, which will pave the way for safety advancements and self-driving vehicles that will reduce highway deaths, Koslowski said.
“This is not time to take our tinfoil hats out and say we shouldn’t have connected vehicles,” he said. “This is an area that needs attention and investment from the auto industry.”