In the wake of a recent report highlighting the potential for vehicle hacking on the roads, the Electronic Frontier Foundation said that hackers should have the right to analyze the software in vehicles—a stance the auto industry disagrees with.
It may sound cool, but it’s anything but.
Imagine driving down a highway or a quiet road and losing control of your car: The brakes suddenly go out. Or maybe the GPS goes haywire, the air conditioning starts blowing full blast, or the headlights start flashing off and on. Or maybe the car stops entirely. Now imagine a hacker is to blame.
That’s the real-life tale that Wired reporter Andy Greenberg shared on Wednesday, after security researchers Charlie Miller and Chris Valasek remotely took over Greenberg’s Jeep Cherokee while he was in the driver’s seat. Greenberg knew it was going to happen, but it still rattled him.
“Their code is an automaker’s nightmare: software that lets hackers send commands through the Jeep’s entertainment system to its dashboard functions, steering, brakes, and transmission, all from a laptop that may be across the country,” Greenberg wrote of his experience.
As a result of Greenberg’s report, Chrysler announced that it would recall more than 1.4 million vehicles with the dashboard computer technology—a big step in the right direction. But one group wants to see even bigger steps taken.
Research Needed, EFF Says
In response to Greenberg’s article, the Electronic Frontier Foundation (EFF) urged the government to broaden the ability to research the innards of onboard vehicles—something currently not allowed under the Section 1201 of the Digital Millennium Copyright Act (DMCA).
“The Librarian of Congress will issue a final rule this fall,” EFF Staff Attorney Kit Walsh wrote in a blog post. “And we are hopeful that he will grant exemptions that bring greater legal certainty to important research and remove Section 1201 as a barrier to innovation, competition, and user choice.”
It is unforeseeable whether research rights will be broadened in the DMCA, but the fight has picked up—on both sides of the issue.
“One major reason that serious vulnerabilities have gone undisclosed and unfixed is that laws like Section 1201 of the Digital Millennium Copyright Act chill independent security research,” Walsh added.
EFF says it has filed an exemption for Section 1201 so researchers can look into security and safety issues without being hit by the DMCA. The organization also requested another DMCA exemption, in which the government would allow vehicle software to be created, repaired, and improved.
Two U.S. lawmakers—Senators Edward Markey (D-MA) and Richard Blumenthal (D-CT)—are working on legislation that would require security protection on vehicles sold in America.
Auto Manufacturers Prefer Self-Regulation
However, EFF says that the Alliance of Automobile Manufacturers, which represents 12 of the largest automakers, is creating a moving roadblock. In comments to The Washington Post, AAM emphasized that it is addressing the “serious issue” of cybersecurity.
Earlier this month, AAM announced that it had launched an information and analysis center focused on discovering potential threats to vehicles.
“That’s why the auto industry is taking steps to reduce risk by building robust security protections from the earliest stages of design,” AAM spokesman Wade Newton told the Post.
But EFF emphasizes that the Wired story shows that industry efforts simply aren’t enough, and that researchers such as those who hacked Andy Greenberg’s Jeep Cherokee need legal protection in order to act on their research.
“We think Miller, Valasek, and other researchers have amply shown the need for independent vehicle security research,” Walsh stated.
EFF isn’t the only group focused on this issue. The Digital Right to Repair coalition, which includes iFixit founder Kyle Wiens, has also spoken in favor of changing the DMCA to allow for maintenance of automotive software.
Editor’s note: This story was updated to highlight Chrysler’s decision to recall a number of vehicles in response to the Wired story.