Car-hacking Research Faces Legislative Limits in the U.S.

Dror Liwer Blog

Consumers are starting to understand that the fun and convenience of connected cars comes with a price tag. As with many WiFi or Cellular connected products, connected cars are at risk of being hacked.

In early 2015, BMW discovered a flaw in its ConnectedDrive software, the system that connects a BMW to the Internet for a variety of services including navigation systems, real-time traffic and remote door locking. Researchers imitated the company’s servers and sent unlocking requests remotely. These unlocking requests, which also affected Rolls Royce and Mini Coopers, are just the beginning of car hacking dangers.  

Researchers Charlie Miller and Chris Valasek have also been studying the process of hacking into a car’s control system. They tested their theories on a Jeep Cherokee with a Wired Magazine reporter inside. They successfully infiltrated the car and gained command of the entertainment system and steering mechanism, leaving the reporter helpless and prompting the manufacturer to recall 1.4 million vehicles.

Around the same time these master coders were conducting this demonstration, two U.S. senators proposed legislation that would limit these type of commjacking experiments. Senators Ed Markey and Richard Blumenthal introduced legislation that would direct the National Highway Traffic Safety Administration (NHTSA) and Federal Trade Commission (FTC) to establish standards to protect drivers from commjacking and ensure privacy. The law would prohibit anyone from accessing an electronic control unit or critical system of a motor vehicle without authorization — and impose a $100,000 fine on anyone who does.

While the proposed law is well-intentioned in wanting to deter commjackers, it nonetheless presents an antagonistic problem. [Tweet “The bill may actually have the opposite of its intended effects by discouraging helpful research.”]

No Access Means No Results

Barring anyone except owners from accessing a car’s connected control center would not only attempt to keep out commjackers, but also prevent researchers from doing some good with the information they gather from testing.

Researchers, both independent and employed by the manufacturers, often go into a car’s system to discover how people are using their connected cars, and the work helps them compile safety statistics and security standards. They use this data to improve and upgrade the technology used in automobiles. Limiting the ability to acquire this information freely and in great quantities could have severe consequences on the evolution of automotive defenses, and hinder progress toward better protections from hackers.

Not allowing researchers entry to cars’ systems only further encourages commjackers to exploit the very vulnerabilities researchers hope to identify. Miller and Valasek showcased the extremes of car commjacking when they first took control of the Jeep’s entertainment system, then air conditioning, then eventually the steering and brakes. From a laptop across the country from where the reporter drove the car, the researchers showed that commjackers could access not just one car, but an entire brand. They could’ve gained control of all the Jeep Cherokees within that one example. Their experiment proved how easy it is for commjackers to gain control of a vehicle and cause harm.

Many companies already sponsor bug bounty programs and reward researchers for finding holes in security and safety of these constantly-changing car computers. A law like the one proposed would make constructive programs like these illegal. Commjackers would continue to commit crimes and break the law, but the “good guys” will be barred from conducting helpful research.

Coronet views the legislation as a form of censorship. Banning the search for invaluable information can have a devastating effect on the industry and its ability to move forward in developing and deploying life-changing technology. Without an avenue to explore the faults and success of such innovations, the industry faces an information gap which will greatly limit engineering improvements.

The law is trying to ensure consumer privacy concerning what information manufacturers can see, and institute stronger protections against cyber crimes. Unfortunately, if the legislation passes, researchers will be impeded from conducting critical work. Not to mention, the law will apply only in the U.S., which in our connected world, is hardly possible to enforce.

It is a law that intends to accomplish good, but won’t keep drivers safe from commjacking threats. We hope the U.S. will let researchers continue their work, but still spell out the consequences commjackers face.