Two US senators last week asked the country’s National Highway Traffic Safety Administration (NHTSA) whether they’ve been notified about any malicious hacking attempts on internet-connected cars and if they have plans to address the cyber risk these vehicles posed on public safety.
“We are concerned about the lack of publicly available information about the occurrence and handling of cyber vulnerabilities in internet-connected cars, and that NHTSA should be aware of these dangers in order to take possible regulatory actions,” said Senators Edward Markey and Richard Blumenthal in a letter to NHTSA dated August 22.
Both lawmakers were reacting to a recent report by the Consumer Watchdog that said safety-critical systems of connected cars are being linked to the internet without adequate security and with no way to disconnect them in the event of a fleet-wide hack.
Predicting that no less than two-thirds of new cars on American roads will have online connections to the cars’ safety-critical system by 2022, the report recommended for these vehicles to be fitted with a kill switch that will allow users to physically cut the online connection.
Citing the report, the two senators expressed concern that while automakers such as BMW, Chrysler, Daimler, Ford, General Motors and Tesla have disclosed the cyber vulnerabilities to their investors and shareholders, they have kept consumers in the dark.
“Consumers are purchasing internet-connected vehicles without sufficient safety warnings,” said Markey and Blumenthal.
Besides asking NHTSA whether it has been notified of cyber vulnerabilities of internet-connected cars, the senators want to answer three more questions. These are:
- What actions has NHTSA taken, and what actions does NHTSA plan to take, in order to address the cyber vulnerabilities and public safety risks created by the increasing number of internet-connected cars on US roads?
- Does NHTSA have any formal process in place to receive reports of hacking or vulnerabilities in internet-connected cars?
- In the event of a cyber incident or vulnerability involving the security of an internet-connected car, what entity would be expected to provide public disclosure? Would that public disclosure would be legally required?
The senators request for a written response by September 13.