Last Friday, Fiat Chrysler announced the recall of 1.4 million vehicles to fix security vulnerabilities, further highlighting the importance of properly addressing cybersecurity issues created by the use of connected devices.  The recall follows an article published last Tuesday by Wired magazine which described methods used by security researchers to remotely access a Jeep Cherokee, including attacks that disabled the car’s brakes and transmission.  While Fiat Chrysler’s statement on the recall emphasized that it was not aware of any incidents where the vulnerability had been exploited, the recall demonstrates the increasing attention being paid to security vulnerabilities discovered in connected devices.  The same day that the Wired article was published, Sens. Ed Markey (D-Massachusetts) and Richard Blumenthal (D-Connecticut) introduced legislation aimed at establishing federal standards for cybersecurity of connected cars and privacy of drivers’ information.

According to the Wired article, many of Fiat Chrysler’s vehicle models – including the Jeep Cherokee – use Uconnect, an Internet-connected computer feature, to offer entertainment, navigation, and communication features.  The Wired article described a method by which security researchers were able to use Sprint’s cellular network, the same network used by the Uconnect feature, to wirelessly access any vulnerable vehicle nationwide through its Uconnect system.  Once the researchers accessed a vehicle, they could access the car’s internal computer network and control certain physical components of the car, such as its engine and wheels.  According to the article, the researchers notified Fiat Chrysler of the vulnerability nine months ago, and Fiat Chrysler responded by releasing a software patch that could be manually implemented via a USB stick or a dealership mechanic.  Following the article’s release, Fiat Chrysler initiated a full safety recall of multiple affected vehicle models, mailing a USB containing the patch to each vehicle’s owner that the owner could plug into a port in the vehicle to implement the fix.  The automaker has also worked with Sprint to block the methods used by the researchers to find and access vehicles wirelessly using Sprint’s network.

Last week, Sens. Ed Markey and Richard Blumenthal also introduced the SPY Car Act, designed to protect drivers from the security and privacy risks inherent in the increased use of connected cars.  According to the copy of the bill released by Sen. Markey, the bill would require NHTSA, in consultation with the FTC, to develop performance standards to prevent hacking of vehicles’ control systems.  These standards, which would take effect within 2 years after the final regulations are prescribed, would require manufacturers to use “reasonable measures” to protect all access points to the car, including isolation of critical software systems and evaluation using penetration testing.  Manufacturers would also have to secure all collected information against unauthorized access, both at rest and in transit, and equip vehicles with “capabilities to immediately detect, report, and stop attempts to intercept driving data or control the vehicle.”  In addition to these hacking protections, the bill would also require the FTC, in consultation with NHTSA, to develop privacy standards to govern the collection of data by vehicles, including increased transparency and choice for drivers and a prohibition on the use of such data for marketing purposes without express consent.  Finally, the bill would also require NHTSA and the FTC to develop a “cyber dashboard” that would allow potential purchasers of new vehicles to easily evaluate how well each vehicle protects owners’ security and privacy.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.