American Senator tables car cyber security legislation

Published: April 8, 2015

Updated: July 24, 2018

Author: Callum Micucci



A U.S. senator has announced legislation that calls for increased cyber security standards in the most unlikely of places—the automobile industry.

The announcement, which came from Democratic senators Edward J. Markey and Richard Blumenthal, follows a report calling for the change from Sen. Markey just two days prior.

According to the report, Sen. Markey sent letters to 16 major automobile manufacturers regarding the use of wireless technology in their vehicles.

Their responses revealed an “alarmingly inconsistent and incomplete state of industry security and privacy practices,” according to the report. Security measures to protect against hackers are “inconsistent and haphazard” across all automobile manufacturers, claims the report.

General Motors communications subsidiary OnStar now offers 4G LTE service in 28 vehicles across the Chevrolet, Buick, GMC, and Cadillac brands. While there haven’t been any reports of actual hackers attempting to break into vehicles yet, researchers were able to hack into a vehicle’s systems as far back as 2011, before LTE service was even available in vehicles.

Researchers in 2011 were able to take control of various features in the vehicle, such as the door locks and brakes—and even the engine. The researchers could “track the vehicle’s location, eavesdrop on its cabin and steal vehicle data,” according to a New York Times article.

“Drivers have come to rely on these new technologies,” Markey said in a press release, “but unfortunately the automakers haven’t done their part to protect us from cyber-attacks or privacy invasions.”

In an article written by the CBC last fall, a Canadian cybersecurity expert said he disagrees with the recent concerns, citing the “very, very controlled, almost laboratory-type environments” under which this research has been conducted.

“The car companies are actually paying quite a bit of attention to security,” said John Proctor, vice-president of global cybersecurity at Canadian IT firm CGI.

Proctor told the CBC that it comes down to a question of really how secure the vehicles need to be. If it takes such a controlled environment to hack the vehicle, it’s not really a very practical target.

The American legislation would require that “all wireless access points in the car are protected against hacking attacks, evaluated using penetration testing; that all collected information is appropriately secured and encrypted to prevent unwanted access; and that the manufacturer or third-party feature provider be able to detect, report and respond to real-time hacking events.”

The announcement also included privacy recommendations: that drivers are made explicitly aware of data collection, use, and transmission; that consumers have a choice about whether their data is collected; and a prohibition on using the information collected for marketing purposes.

“There are currently no rules of the road for how to protect driver and passenger data,” Markey said, “and most customers don’t even know that their information is being collected and sent to third parties.

“Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected,” he said. “We need to work with the industry and cyber-security experts to establish clear rules of the road to ensure the safety and privacy of 21st century American drivers.”  

Take a look at the video below by Motherboard showing the ins and outs of car hacking: