As if rush hour traffic was not bad enough, last summer drivers learned that gadgets making life on the road easier could present cyber security concerns. Specifically, a lawsuit was filed against Jeep, based on allegations that Chrysler issued a software update only after a July 21, 2015, article published by Wired showed that security researchers could remotely hack a Jeep Cherokee while the vehicle was going down the road.
This study demonstrated the potential damage that could be done if hackers gained the same access to vehicles as the Wired researchers. It should be pointed out that this study only showed the cyber security concerns related to traditional human-driven vehicles. However, there is also growing concern over the damage hackers could potentially cause when driverless vehicles enter the marketplace.
On April 28, 2016, the Michigan Legislature took steps that would make Michigan the first state to penalize hacking motor vehicles. Senate Bill 927 states that “[a] person shall not intentionally access or cause access to be made to an electronic system of a motor vehicle to willfully destroy, damage, impair, alter or gain unauthorized control of the motor vehicle.” Further, SB 927 would make hacking a motor vehicle a felony under Michigan law with the possibility of a life sentence.
Some commentators are questioning the effectiveness of the bill:
Language in the bill doesn’t delineate between independent cyber-security researchers and criminals who intend to inflict harm or havoc. Under its provisions, it’s possible…the researchers who demonstrated last summer that the Cherokee could be remotely commandeered and controlled, could face life behind bars. Provisions of the legislation that prevent a person from “altering” the motor vehicle could ensnare car enthusiasts or gearheads who tinker with electronic systems to boost performance, increase fuel efficiency or add aftermarket features.
Commentators further speculate that car manufacturers could be behind this proposed legislation because they “don’t like third parties poking around their electronic systems and would prefer the researchers not reveal security weaknesses.” For example, opponents of this legislation state the Wired researchers could have been charged if this law was in effect last summer merely for showing the flaws in the “electronic systems” in vehicles.
While the impact of the law is still being debated, the proposed language would only penalize the “unauthorized control of the motor vehicle.” Consequently, it appears a researcher would be free to alter their own vehicle’s “electronic system.” Nonetheless, this debate shows how hackers have changed the landscape for auto manufacturers.
If passed, this bill may become the model — not just for hacking vehicles — but hacking other smart items collectively referred to as the “internet of things.” If passed, other states, not be as dependent on the auto industry, may adopt similar measures for all items included in the “internet of things,” since the potential danger of hacking into the “electronic system” of a home or business equals the danger presented by hacking into that of a motor vehicle.