Law Seeks Better Cyber Security for Cars

In 2015, Chrysler came under fire when several of its models were remotely accessed and taken control of after a report by Wired. Vulnerable vehicles all utilized Chrysler's Uconnect platform, which operates by connecting to Sprint's cellular network. Once the vehicle becomes internet facing, it is exposed to be accessible by attackers. In fact, the test performed did not even require knowing the unique IP Address of the vehicle. The attacker could scan the network, locate a Uconnect equipped vehicle, and start controlling it remotely.

In a world becoming more connected every day, it becomes necessary to protect things which can be accessible by others. Two senators from Connecticut and Massachusetts have introduced a bill titled "Security and Privacy in Your Car (SPY Car) Act of 2017". The bill, which names the NHTSA (National Highway Traffic Safety Administration) and FTC (Federal Trade Commission) as upholders of the law, seeks to prevent unauthorized users from accessing critical systems. These are defined as systems that if compromised could result in loss of controls of the vehicle. Essentially, this would equate to the Uconnect system being able to reach the internet, but if an attacker was to gain access and compromise your vehicle, they might be able to change your radio station, but couldn't disable your brakes.

Additionally, a consumer-facing requirement was added to the bill which would require vehicle manufacturers to show what they have done to protect the driver from cyber attacks. This level of transparency extends to data collection, which must also be revealed to the driver who can opt-out of marketing which the manufacturer may sell.