House Committee to discuss Bill to outlaw Car Hacking

 

Proposed legislation would outlaw independent efforts to investigate security flaws in vehicle software.
Proposed legislation would outlaw independent efforts to investigate security flaws in vehicle software.

In-brief: The U.S. House of Representatives will take up proposed legislation on Wednesday that would make tampering with the software that runs connected vehicles a crime punishable with a $100,000 fine.

 The U.S. House of Representatives will take up proposed legislation on Wednesday that would make tampering with the software that runs connected vehicles a crime.

The House Energy and Commerce Committee plans to discuss the draft of a bill introduced on Wednesday that will increase privacy protections in late model vehicles, while also making it unlawful for someone to “access” a vehicle’s electronic control unit “without authorization” – a provision that could criminalize a wide range of independent research on vehicle security and safety.

The proposed legislation is one of a slate of proposed laws to address concerns about data hungry and vulnerable automobiles. Those fears were heightened over the summer, when security researchers Chris Valasek and Charlie Miller – now of Uber – demonstrated a technique for taking control of a 2014 Jeep Cherokee on the highway using software-based attacks.  The demonstration ultimately prompted a recall of 1.4 million vehicles by Fiat Chrysler.

The proposed legislation would make research like Valasek and Miller’s, which was conducted without the knowledge of Fiat Chrysler using private funds, illegal. For example, section 302 of the bill amends Section 30122 of title 49 of the United States Code to specifically prohibit “motor vehicle hacking.”

“It shall be unlawful for any person to access, without authorization, an electronic control unit or critical system of a motor vehicle, or other system containing driving data for such motor vehicle, either wirelessly or through a wired connection,” the section reads.

The prohibition would apply to “critical systems” within cars including software, firmware and hardware that “if accessed without authorization, can affect the movement of the vehicle. Violations would be punishable by a civil penalty of up to $100,000 for each violation – which could apply to each motor vehicle affected or “item of motor vehicle” affected, according to a draft of the bill (PDF).

[Read more Security Ledger coverage of connected cars here.]

Other sections of the draft law would improve the National Highway Traffic Safety Administration’s management of vehicle recalls, with an eye to improving public compliance with them. It would also place new restrictions on the types of data automakers can collect from car owners and require more transparency from them on how data submitted by vehicle owners will be used.

“Drivers and their loved ones can never be too safe on the roads and our work to boost vehicle safety continues,” said full committee Chairman Fred Upton (R-MI) and subcommittee chair Rep. Michael C. Burgess (R-TX) in a published statement. “There is an urgency for improvement with both automakers and NHTSA as the next generation of vehicles and innovation are set to emerge.”

The proposed legislation is still a long way from becoming law. It would have to first be reconciled with competing Senate legislation, including the Motor Vehicle Safety Act of 2015, sponsored by Senator Bill Nelson (D-FL), and the Security and Privacy in Your Car (SPY Car) Act, sponsored by Senators Edward Markey and Richard Blumenthal. Both houses of Congress would then have to pass the compromise legislation, which would have to be signed into law by President Obama.

Spread the word!

Comments are closed.