Car owners – in other words, almost everyone – were buzzing in a bad way yesterday about a report in Wired that showed two security experts demonstrating the ability to remotely commandeer and control a Jeep that was traveling on a highway.
It was harrowing just to read about this sophisticated hack, never mind imagining the reality of finding oneself in such a situation.
Whether coincidental or not, lawmakers are responding with calls to hold the auto industry to task.
Meanwhile, the Electronic Frontier Foundation is renewing its efforts to remove one obstacle to independent safety research involving automobiles: the Digital Millennium Copyright Act. Specifically, the EFF would like the Librarian of Congress to make sure that independent security researchers working on this issue are protected from legal liability. The EFF writes:
One major reason that serious vulnerabilities have gone undisclosed and unfixed is that laws like Section 1201 of the Digital Millennium Copyright Act chill independent security research. That’s why we filed for an exemption to Section 1201 that would specifically protect security and safety research on vehicle software from DMCA liability. The automakers showed up in force to oppose it (including the “Auto Alliance” trade group, of which Fiat Chrysler is a member), arguing that there was no need for independent security research and that they had the legal right to shut it down – even when researchers only look at code on vehicles they own. We think Miller, Valasek, and other researchers have amply shown the need for independent vehicle security research.
We also asked for a second DMCA exemption for vehicle software, one that would allow competition in the vehicle software space (as well as repairs and customization). If that exemption is granted, an alternative software provider could enter the market to secure your vehicle and you might decide you have more faith in them than in the original manufacturer (or they might offer better functionality, or they might protect your privacy against invasive data collection by auto manufacturers). We would at least see the possibility of competition leading to better practices and spurring innovation among manufacturers.
These exemptions are reasonable under any circumstances.
But they are imperative now that the auto industry has demonstrated its utter inability to fulfil its most basic public safety responsibilities.