Cars will have to be much better protected against hacking and new privacy standards will govern data collected from vehicles under proposed legislation introduced in the U.S. Senate on Tuesday.
The Security and Privacy in Your Car Act of 2015 seeks to get a step ahead of what is seen by some as one of the next fronts in hacking: connected vehicles, which are always on the Internet and rely on sophisticated computer control systems.
Proposed by Senators Edward J. Markey, a Democrat from Massachusetts, and Richard Blumenthal, a Democrat from Connecticut, the act would mandate that critical software systems in cars be isolated and the entire vehicle be safeguarded against hacking by using “reasonable measures.” The proposed bill doesn’t define those measures.
Data stored in the car should be secured to prevent unauthorized access and vehicles will also have to detect, alert and respond to hacking attempts in real time.
Under the proposed law, new privacy standards, to be developed by the National Highway Traffic Safety Administration (NHTSA), will require vehicle owners be made aware of what data is being collected, transmitted and shared. Owners will be offered the chance to opt out of such data collection without losing access to key navigation or other features where feasible.
The NHTSA will also be tasked with developing an easy method for consumers to evaluate how well an automaker goes beyond the minimum standards defined in the proposed law.
To date, there have been few examples of cyber attacks on cars, but security researchers have demonstrated that it’s possible to take over the critical control systems of a car while it is in motion.
BMW earlier this year patched a vulnerability in its connected drive system that allowed an attacker to remotely unlock a car. BMW had not enabled encryption on its servers, allowing an attacker to mimic the server and send a lock or unlock command to a car. The fix was as simple as enabling HTTPS, but 2.2 million cars had to be upgraded.
Markey took up the issue of cyber security in cars in late 2013, when he sent letters to 20 major automakers asking them how they protected information collected from vehicles and guarded against cyber attacks. The answers to those letters laid the ground for a report published in 2014 that found cars inadequately protected against potential cyberattack.