Two U.S. senators are proposing the SPY Car Act of 2015 to create privacy standards for computer systems that control today’s generation of electronics-heavy vehicles – just as a commentator for Wired.com explains how hackers who set him up in a new vehicle were able to take over its controls – brakes, transmission and more – while he was driving down the road at 70 mph.
“As the two hackers remotely toyed with the air-conditioning, radio and windshield wipers, I mentally congratulated myself on my courage under pressure,” wrote Andy Greenberg at Wired in an article headlined, “Hackers remotely kill a Jeep on the highway.”
Suddenly, his vehicle slowed to a crawl, an 18-wheeler was approaching from behind, and “the experiment had ceased to be fun,” he explained.
The solution may be coming in the form of the SPY Car Act of 2015,” already introduced by Sens. Edward Markey, D-Mass., and Richard Blumenthal, D-Conn., to “establish cybersecurity and privacy requirements for new passenger vehicles. And inform consumers about the risks of remote hacking.”
Privacy industry warnings have been going out since 2011 about avoiding in-car tracking and other computer devices. Marc Rotenberg of the Electronic Privacy Information Center wrote back then that data from embedded “black boxes” in vehicles could provide unwanted information to state agencies and more.
Then the systems were upgraded so that the vehicles actually are online.
Greenberg explained that it is the industry’s Uconnect that is prompting questions.
That’s an Internet-connected computer feature in “hundreds of thousands of Fiat Chrysler cars, SUVs and trucks, controls the vehicles entertainment and navigation, enables phone calls and even offers a Wi-Fi hot spot,” he wrote.
And, he wrote, the cell connection also “lets anyone who knows the car’s IP address gain access from anywhere in the country.”
The hackers with whom he was working, he said, have “only tested their full set of physical hacks, including targeting transmission and braking systems, on a Jeep Cherokee, though they believe that most of their attacks could be tweaked to work on any Chrysler vehicle with the vulnerable Uconnect head unit.”
The SPY Car Act, or the Security and Privacy in Your Car Act of 2015, would require new cars to meet cybersecurity standards.
“All entry points to the electronic systems of each motor vehicle manufactured for sale in the United States shall be equipped with reasonable measures to protect against hacking attacks,” it requires.
And it demands, “Any motor vehicle that presents an entry point shall be equipped with capabilities to immediately detect, report and stop attempts to intercept driving data or control the vehicle.”
The requirements would include a “cyber dashboard” that would inform consumers “about the extent to which the motor vehicle protects the cybersecurity and privacy of motor vehicle owners, lessees, drivers and passengers beyond the minimum requirements set forth” in the law.
It also provides for the privacy of information collected by any monitor on the vehicle installed by the manufacturer.
EPIC reports the legislative proposal followed a report from Markey that talked about the gaps in how auto companies are, or are not, securing the electronics systems in their vehicles from hackers.
The organization has written extensively about the “Internet of Things,” explaining that various technologies communicate with each other these days, with systems including IPv6, RFID, Wi-Fi and GPS appearing in appliances, smartphones, wearable computers and more.
“The ubiquity of connected devices would enable [the] collection of data about sensitive behavior patterns, which could be used in unauthorized ways or by unauthorized individuals,” it said.
Systems like Blutooth, Near-Field Communication, Wi-Fi and others “use radio waves to enable tracking and communication between objects and devices,” the group said.
With “340 trillion trillion trillion” Internet Protocol addresses available, there’s not problem with assigning each vehicle one, the article explained.
There also are Event Data Recorders, Facial Recognition Technology, Wireless Local Area Networks, the Worldwide Interoperability for Microwave Access, the Wireless Metropolitan Network, the Industry, Industrial, Scientific and Medical frequency band, International Mobile Station Equipment Identity, Global Positioning System and more.
It is no significant accomplishment these day, the report from EPIC said, to be able to follow where a driver goes, at what time of day, the route the driver takes and how urgently the driver wished to arrive there.
Then there’s the access points for the vehicle’s system that Greenberg described in his experiment with hackers Charlie Miller and Chris Valasek.
They are able to break into software in the entertainment system and reach through to the “dashboard functions, steering, brakes and transmission, all from a laptop that may be across the country.”
He reported the hackers plan to reveal details of their work, including how they are able to “cut the Jeeps brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch” – at a coming conference.
Then they plan to “publish” the code that will “enable many of the dashboard hijinks they demonstrated on me,” he wrote.
They’ve also been working with Chrysler, which now has released “a program … to continuously test vehicles systems to identify vulnerabilities and develop solutions,” the company reported.
The company also said, Greenberg reported, “We appreciate the contributions of cybersecurity advocates to augment the industry’s understanding of potential vulnerabilities. However, we caution advocates that in the pursuit of improved public safety they not, in fact, compromise public safety.”
“If consumers don’t realize this is an issue, they should, and they should start complaining to carmakers,” Miller said. “This might be the kind of software bug most likely to kill someone.”
They estimate nearly half a million vehicles on the roads today are vulnerable.
from PropagandaGuard https://propagandaguard.wordpress.com/2015/07/22/hackers-remotely-kill-a-jeep-on-the-highway/
from WordPress https://toddmsiebert.wordpress.com/2015/07/21/hackers-remotely-kill-a-jeep-on-the-highway/
No comments:
Post a Comment