United States Senators Ed Markey and Richard Blumenthal today wrote the National Highway Traffic Safety Administration (NHTSA) to ask if carmakers have reported the cybersecurity vulnerabilities in their Internet-connected cars and what steps NHTSA is taking to address the problem.
The senators called for the answers from the America’s top car safety regulator in response to Consumer Watchdog’s recent report, “Kill Switch: How Connected Cars Can Be Killing Machines and How to Turn Them Off.” The report, prepared with the help of car industry technologists, found that all the top 2020 cars have Internet connections to safety critical systems that leave them vulnerable to fleet wide hacks.
“According to a recent report, companies such as BMW, Daimler Chrysler, Ford, General Motors, and Tesla have acknowledged the dangers of internet-connected cars to their investors and shareholders, but have not disclosed these same risks to the public at large,” Senators Markey and Blumenthal wrote to NHTSA Deputy Administrator Heidi King today. “We are concerned that consumers are purchasing internet-connected vehicles without sufficient safety warnings and write to inquire about NHTSA’s knowledge of any cyber vulnerabilities, as well as what actions NHTSA is taking to address these issues.”
“Carmakers have a duty to be as honest with federal safety regulators and the public about the vulnerabilities in their connected cars as they have been with their investors,” said Jamie Court, Consumer Watchdog’s president. “Senators Markey and Blumenthal have taken an important stand for the public’s right to know. The American public deserves to know the truth about the risks of their connected cars and what automakers are doing to protect them.”
“We are concerned by the lack of publicly available information about the occurrence and handling of cyber vulnerabilities in internet-connected cars, and believe that NHTSA should be aware of these dangers in order to take possible regulatory action,” Markey and Blumenthal wrote to King. “We therefore ask that NHTSA answer the following questions:
- Has NHTSA ever been notified of malicious hacking attempts against or vulnerabilities in internet-connected cars, such as those identified in Ford’s statements to investors?
- If NHTSA was notified of any such attempts, what actions did NHTSA take in response to the information? If no action was taken, why not?
- Further, if NHTSA was notified, why was the public not informed of the cyber risks to any vehicles they already owned or were considering purchasing?
- What actions has NHTSA taken, and what actions does NHTSA plan to take, in order to address the cyber vulnerabilities and public safety risks created by the increasing number of internet-connected cars on U.S. roads?
- Does NHTSA have a formal process in place to receive reports of hacking or vulnerabilities in internet-connected cars?
- In the event of a cyber incident or vulnerability involving the security of an internet-connected car, what entity would be expected to provide public disclosure? Would that public disclosure be legally required?”
Markey and Blumenthal asked for a written response from King by September 13th.