It was just last July that many people first became aware of the risks of cars being remotely hacked when white hat hackers
Charlie Miller and Chris Valasek went public with their remote hacking of a Jeep Grand Cherokee through its UConnect entertainment system during which they were able to gain control of the car’s speed, brakes, radio, windshield wipers and other features. In response to this problem, Fiat Chrysler recalled 1.4 million vehicles to correct the vulnerabilities that led to the ability of these cars and trucks to be hackable. Customers affected by the recall received a USB device to personally upgrade their vehicle software and provide new security features in addition to those installed by the network upgrades.
The FBI has just issued a new warning about the risk of cars and trucks being able to be remotely hacked. Our cars have become more and more computerized.
Keyless entry, ignition control, tire pressure monitoring, diagnostic controls, navigation and the entertainment systems are now computerized and subject to Internet or cellular access. A new car today can have as many as forty wireless access points.
The threats of automobile hacking include not only the extreme danger of vehicles being remotely taken control of, but also the theft of the data stored. In addition, when automobile computer systems are tied to the car owner’s smartphone, the risk of the car being hacked as a way to get access to the car owner’s smartphone and all of the credit card information, passwords and financial data including banking app passwords stored on the smartphone is increased.
United States Senators
Edward Markey and Richard Blumenthal have filed legislation known as the SPY Car Act designed to provide requirements for automobile manufacturers to meet in order to combat the threat of automobile hacking. SPY is an acronym for Security and Privacy in Your car. Senator Markey has long been concerned with the vulnerabilities of automobiles to being hacked and in February of 2015 issued a report that concluded that the efforts of automakers around the world to prevent hackers from gaining control of cars electronically were “inconsistent and haphazard.” Further, Markey indicated that most automakers did not even have systems for either detecting security breaches or responding to those breaches. The Spy Car Act is an attempt to respond to the lack of efforts by the automobile industry to effectively deal with the problems of cybersecurity in automobiles.
If enacted into law, the Spy Car Act would require the
National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to develop industry wide standards to prevent vehicle control systems from being hacked. In addition, the bill would require important privacy standards to be developed to protect the privacy of the data collected by our vehicles. Finally, the bill, if enacted into law, would require cars to have a new cyber dashboard display that would be affixed to the windows of all new cars that would indicate how well the particular type and brand of car protects security and privacy beyond the minimum standards set by law.
Here is a link to the proposed legislation. If you support this bill, I urge you to contact your Senators to request that they vote favorably on it.
Meanwhile, the Department of Transportation and 17 automakers have agreed to share information about cyberattacks on their vehicles. The auto industry has already set up the
Information Sharing and Analysis Center (ISAC) as a clearinghouse for sharing such information. In addition, the auto industry has also agreed to develop best practices.
However, all of these steps by the government and the automobile industry will take time. So what should we, as automobile owners be doing now to make our rides safer and our information more secure.
First, you should keep an eye out for recalls related to the cybersecurity of your car. Even though manufacturers will notify affected vehicle owners about recalls for cybersecurity matters, it is a good idea to regularly check out NHTSA’s website for recall information that may apply to you. Here is the link to the recall section of NHTSA’s website.
The FBI also advises consumers to regularly check the website of their automobile manufacturer’s website for software updates.
If you do receive a notice of a cybersecurity related recall, it is important to remember my motto, “trust me, you can’t trust anyone.” That recall notice which you might receive by regular mail or email might be from a hacker seeking to lure you into installing malware into your car, computer or smartphone. The FBI also is warning consumers to be wary of USB devices being sent to consumers that appear to come from the automobile manufacturer ostensibly for the purpose of resolving a car computer vulnerability, as was done with the Jeep Grand Cherokee last year. Those USBs could be sent by hackers in an attempt to lure people into downloading malware. The safer route to take is to contact your car dealer when you receive any notice about a recall requiring software updating and have the update done by the dealer rather than doing it yourself unless you are absolutely sure that the USB you are sent is legitimate.
If you are considering buying a new car, you may want to consider getting one with the
Android Auto or Apple CarPlay systems that use your smartphone to operate your car’s entertainment system. This will give you greater control over the security system of your car. Of course, this assumes that you are already taking the security steps necessary to protect your phone, but that is the subject for another column.
Steve Weisman is a lawyer, a professor at
Bentley University and one of the country's leading experts in scams and identity theft. He writes the blog scamicide.com, where he provides daily update information about the latest scams. His new book is Identity Theft Alert.