In Sunday night’s episode of the CBS television show CSI: Cyber, a hacker “cyber-jacks” automobiles—some empty, some with drivers behind the wheel—and uses them as remote-controlled cars to cause deadly crashes. As I watched the show, I couldn’t help but think back to my blog post earlier this year about the security vulnerability of our cars (and other devices we use every day) that are connected to the Internet of Things. Is the premise of the television show pure fiction? Exaggeration of a minor threat for dramatic effect? Not according to recent headlines.
Last week Congressmen Ted W. Lieu (D-Cal.) and Joe Wilson (R-SC) introduced The Security and Privacy in Your Car Study Act of 2015, a/k/a The SPY Car Study Act. The legislation would require the National Highway Safety Transportation Commission to work with the Federal Trade Commission, National Institutes of Standards and Technology, the Department of Defense, industry leaders, and higher education institutions to carry out a one-year study of ways to detect and prevent malware attacks on vehicle software, and recommend a regulatory framework for protecting the data collected and stored by cars. As Representative Lieu explained,
“Americans have a right to drive cars that are safe and protected from hackers. Frankly, without adequate protections, a hacker could turn a car into a weapon. The SPY Car Study Act is a first step . . . to ensure that car navigation, entertainment and operating systems are safe and the data gleaned from such systems kept private. The Internet of Things (IOT), brings technology and connectivity into every corner of our lives, including our cars. However, with the pervasiveness of technology, cybersecurity standards and privacy protections become more important than ever.”
The SPY Car Study Act is similar to (but narrower in scope than) the Security and Privacy in Your Car Act, or SPY Car Act, introduced in the Senate in July, which would establish federal standards aimed at protecting vehicle owners from hacking attacks and secret data tracking.
In a display of great timing, Senators Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.) introducted the SPY Car Act on the same day that journalist Andy Greenberg published an article in Wired magazine revealing that hackers remotely accessed his Jeep Cherokee while he drove it down the highway at 70 miles per hour. According to Greenberg, he had agreed to be a “digital crash-test dummy” for two men who wanted to test their car-hacking research. These men developed hacking software that gives the attacker wireless control, over the internet, to thousands of Jeep vehicles. The software enables hackers to send commands through the car’s entertainment system to its dashboard functions, steering, brakes, and transmission, all from a remote laptop. The hackers in Greenberg’s experiment blasted cold air from the vents, turned the radio volume all the way up, and killed the transmission, causing his car to roll to a stop. As Greenberg coped with the attack, a picture of the two hackers appeared on his car’s digital display. Following Greenberg’s article, Jeep’s parent company Fiat Chrysler USA recalled 1.4 million Dodge, Ram and Jeep vehicles to install new security features.
So it seems the plot of CSI: Cyber is not far-fetched at all. In the meantime, while federal legislation works its way through Congress, and auto manufacturers struggle to keep up with the latest IOT threats, what’s a driver to do? Buckle your seatbelt.
Have questions about the Internet of Things and data security? Contact me and let’s chat.