By Ryan Daws, IoT NEWS
August 23, 2019
US Senators Richard Blumenthal and Ed Markey have penned a letter to the National Highway Traffic Safety Administration (NHTSA) asking whether vehicle manufacturers have disclosed vulnerabilities with their cars.
The letter is being sent in the wake of a damning Consumer Watchdog report earlier this month that warned a mass cyberattack could result in the remote control of connected cars.
Los Angeles-based Consumer Watchdog released a study warning of an increasing danger of fleetwide hacks of connected vehicles. A single vulnerability in even one manufacturer’s fleet of connected cars has the potential to compromise millions of vehicles globally.
Jamie Court, President of Consumer Watchdog, highlighted that in Ford’s most recent annual report with the SEC it was noted: “We, our suppliers, and our dealers have been the target of these types of attacks in the past and such attacks are likely to occur in the future.”
Ford hasn’t elaborated on the nature of the attacks it witnessed, but it goes to show that vehicles are already a keen target of hackers.
The senators want to know whether connected car manufacturers have reported such vulnerabilities to the NHTSA and what the agency is doing to address the problem.
In their letter, addressed to NHTSA Deputy Administrator Heidi King, the senators wrote:
“According to a recent report, companies such as BMW, Daimler Chrysler, Ford, General Motors, and Tesla have acknowledged the dangers of internet-connected cars to their investors and shareholders, but have not disclosed these same risks to the public at large.
We are concerned that consumers are purchasing internet-connected vehicles without sufficient safety warnings and write to inquire about NHTSA’s knowledge of any cyber vulnerabilities, as well as what actions NHTSA is taking to address these issues.”
The senators seek answers to the following questions:
Has NHTSA ever been notified of malicious hacking attempts against or vulnerabilities in internet-connected cars, such as those identified in Ford’s statements to investors?
If NHTSA was notified of any such attempts, what actions did NHTSA take in response to the information? If no action was taken, why not?
Further, if NHTSA was notified, why was the public not informed of the cyber risks to any vehicles they already owned or were considering purchasing?
What actions has NHTSA taken, and what actions does NHTSA plan to take, in order to address the cyber vulnerabilities and public safety risks created by the increasing number of internet-connected cars on U.S. roads?
Does NHTSA have a formal process in place to receive reports of hacking or vulnerabilities in internet-connected cars?
In the event of a cyber incident or vulnerability involving the security of an internet-connected car, what entity would be expected to provide public disclosure? Would that public disclosure be legally required?”
Consumer Watchdog’s report suggests a mandatory ‘kill switch’ to be installed in all vehicles. Such a switch, the report notes, costs just 50 cents but could save lives in the event of a cyberattack by immediately severing the connection between the internet and critical functions like the engine, steering, and brakes.