Senators Edward Markey and Richard Blumenthal, members of the Commerce, Science and Transportation Committee, recently introduced The Security and Privacy in Your Car (SPY Car) Act that directs the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish standards to secure automobiles and protect drivers’ privacy. The SPY Car Act will also establish a “cyber dashboard” that rates how well the car protects privacy and security beyond the minimum standards.
This legislation will force auto makers to comply with these security and privacy standards or face fines. While the automakers have already been working to better secure their vehicles from cyberattacks, the SPY Car Act will create a greater sense of urgency.
The SPY Car Act calls for a number of security steps to be taken by the auto makers. While all of these steps will help make cars safer in the long run, there may be some unintended consequences as the car makers struggle to comply with the legislation in the short term.
Let’s look at some specifics from the SPY Car act.
“Requirement: All motor vehicles manufactured for sale in the United States on or after the date that’s two years after the date on which final regulations are prescribed … shall comply with the cybersecurity standards set forth …”
Two years is not a long time in the development cycle of a car. It doesn’t give the carmakers much time to investigate, design, and implement a solution correctly and then test it as part of the entire automotive system. This short timeline could lead to “band-aid fixes,” such as adding firewalls that will make cars safer, but won’t address everything.
Security Innovation’s Automotive Centers of Excellence (ACE) urges its customers to take a holistic approach to security, namely adopting a Secure Development Lifecycle and applying security to every stage of a car’s the development. Two years doesn’t allow the car makers to review the architecture, perform thorough threat modeling with appropriate remediation steps, conduct code reviews and scans, penetration testing, etc. The two-year window could force car makers to focus on purchasing a security tool or two and conducting a few penetration tests to fix their potentially flawed architectures, vulnerable software, and poorly implemented cryptography.
“Protection against hacking: All entry points to the electronic systems of each motor vehicle manufactured for sale in the United States shall be equipped with reasonable measures to protect against hacking attacks.”
Again, this point seems to be pushing automakers to follow the path that IT guys did years ago, when they just bought firewalls and assumed everything was safe. The IT world didn’t address all of the application security flaws, architecture vulnerabilities, and crypto implementation errors that were present in their systems. I hoped that auto makers would learn from IT history, but I fear they might end up repeating history in an effort to comply with these laws quickly.
“Isolation measures: The measures shall incorporate isolation measures to separate critical software systems from noncritical software systems.”
Isolation is a good security practice. But can automakers implement isolation and still give drivers the features they demand? For example, GPS navigation can be used to track you, so that probably falls into the critical system area. But many apps on noncritical systems rely on that location data to bring consumers features they want. And GPS location and signals from braking and traction control modules are sometimes intermingled in safety applications. None of these challenges are insurmountable, but it’s a bigger challenge than isolating systems from a web server and will take time, expertise, and effort to implement properly.
“Detection, reporting, and responding to hacking: Any motor vehicle that presents an entry point shall be equipped with capabilities to immediately detect, report, and stop attempts to intercept driving data or control the vehicle.”
This is definitely easier said than done. If a user’s (or admin’s) credentials are compromised, a successful hack could be launched but appear to be completely legitimate and thus go undetected. There will need to be ways to replicate practices from the IT world, such antivirus updates, two factor authentication, software patches, etc. All of these security practices are difficult to implement in a car that has intermittent Internet connection. Software updates also have risks associated with them if done improperly.
“The cyber dashboard shall inform consumers, through an easy-to-understand, standardized graphic, about the extent to which the motor vehicle protects the cybersecurity and privacy of motor vehicle owners, lessees, drivers, and passengers beyond the minimum requirements.”
Transparency is a good thing. Consumers can make informed decisions about the cyber-risk they’re willing to take and market forces can help determine the balance between security and cost. However, it’s difficult to judge this dashboard without knowing what the criteria is going to be. The group I Am The Cavalry has proposed a Five Star Automotive Cyber Safety Program that’s a good example of what this dashboard could include.
There are many questions that will be answered once the NHTSA and FTC turn this legislation into actual requirements. And what about retroactively securing cars that are already on the road? Do makers of aftermarket equipment have the same requirements? What responsibilities do the drivers have? For example, must they purchase antivirus software and are they responsible for not adding vulnerable apps? While the short-term impact may not be ideal, the end result of this legislation should make our cars more secure.
For more on cybersecurity legislation in the auto industry, read “The Cavalry has arrived for automotive cybersecurity. What’s next?”
For the past two years, Gene Carter has been the Director of Product Management for the Embedded Security Business Unit at Security Innovation. Carter has spent the past 20 years in embedded and automotive product management roles for NXP Semiconductors, Philips Semiconductors, and Coto Technology. He holds an MBA from the University of Southern California’s Marshall School of Business and a BSc in Electrical Engineering from Tufts University.