The world’s first automotive cyber-security law may force automakers to deliver software updates and stop vehicle tracking as part of new IT security standards regarding connected cars in the US.
The Security and Privacy in Your Car (SPY) Act of 2015 proposed in the US Senate could force automakers to update software more, isolate critical systems from the car’s internal network and clearly state data collection practices.
All entry points to the 23 electronic systems of each motor vehicle manufactured for sale in the United States shall be equipped with reasonable measures to protect against hacking attacks,” the bill says.
The new privacy standards, to be developed by the National Highway Traffic Safety Administration (NHTSA), will require automakers to tell car owners what data is being collected, transmitted and shared.
Each motor vehicle shall provide clear and conspicuous notice, in clear and plain language, to the owners or lessees of such vehicle of the collection, transmission, retention, and use of driving data collected from such motor vehicle,” the paper says.
The bill’s announcement comes coincidentally at the same time as an experiment showing how a wirelessly connected car can be hacked remotely.
Two researchers exploited a zero-day vulnerability in a Jeep Cherokee’s Uconnect infotainment system to gain wireless control of the car. By rewriting firmware of a chip found in the in-car entertainment system, they sent commands to the car’s internal computer system to manipulate dashboard functions, steering, brakes and transmission functions.
This isn’t’ the first story of this sort. Earlier this year, German automaker BMW patched a vulnerability in its connected drive system that allowed an attacker to remotely unlock its cars. 2.2 million Rolls-Royce, Mini and BMW vehicles were affected. Tesla was also in the spotlight back in 2013, when a team of hackers exploited an unspecified flaw in the car’s design, allowing them to open the doors of Model S, while it was in motion.
“Drivers shouldn’t have to choose between being connected and being protected,” Senator Edward J. Markey said in a statement. “We need clear rules of the road that protect cars from hackers and American families from data trackers.”