Hacking a car in Michigan could become a felony with a life sentence, if proposed legislation introduced last week becomes law in the home state of the US auto industry.
The proposed legislation, Senate Bill 927, would make it illegal for any person to access an electronic system of a motor vehicle to “willfully destroy, damage, impair, alter, or gain unauthorized control” of the vehicle:
A person shall not intentionally access or cause access to be made to an electronic system of a motor vehicle to willfully destroy, damage, impair, alter, or gain unauthorized control of the motor vehicle.
A second proposal, Senate Bill 928, would amend Michigan’s criminal code for hacking, making life in prison the maximum sentence for hacking a car.
No other violation listed in the state’s anti-hacking law carries a life sentence.
Michigan State Senator Mike Kowall, who introduced the legislation, said the penalty for car hacking needs to be severe because of the risks to physical safety, according to the Automotive News.
Of course, hackers could put drivers in danger if they take control of a vehicle’s steering, brakes or acceleration – and that’s not exactly a far-fetched scenario.
The FBI and the US National Highway Traffic Safety Administration recently issued a warning for drivers to be aware of the risks to connected cars.
And although we are yet to hear about cars being hacked maliciously, hackers have demonstrated the possibilities in controlled situations.
Last summer, security researchers Charlie Miller and Chris Valasek made headlines when they remotely hacked a Jeep through the vehicle’s connected entertainment system, demonstrating in a video how they could turn off the Jeep’s engine and steer the vehicle off the road.
The security flaw Miller and Valasek discovered affected 1.4 million Fiat Chrysler vehicles, which had to be recalled for a security patch.
Other researchers have exposed software flaws in Tesla vehicles, poked security holes in remote starter apps for multiple car makers, and tricked keyless entry systems into unlocking cars.
Given the obviously serious security issues in modern, computerized cars, it’s probably a good idea to have legislation penalizing malicious vehicle hacking.
Michigan Senator Kowall said he wants to pass a law banning car hacking now, “as opposed to waiting for something bad to happen,” Automotive News reported:
Some of these people are pretty clever. As opposed to waiting for something bad to happen, we’re going to be proactive on this and try to keep up with technology.
But the proposed legislation could have some unintended consequences – for security researchers, or people who merely wish to drive their own vehicles.
Miller, who works for Uber as head of its self-driving car research team, said on Twitter that simply steering a vehicle means you have to access an electronic system and “willfully alter the motor vehicle.”
When you turn the steering wheel, you are accessing an electronic system to willfully alter the motor vehicle. Happily IANAL.
— Charlie Miller (@0xcharlie) April 29, 2016
Miller readily admits that he is not a lawyer.
But policy experts had similar concerns about wording in legislation introduced in the US Senate last year that would have made it illegal to access a vehicle’s computers “without authorization.”
Some car makers have argued that the Digital Millennium Copyright Act makes it illegal for drivers to inspect or alter the code in their own vehicles.
Other car makers like Tesla and General Motors are creating bug bounty programs that would reward hackers for reporting vulnerabilities.
How many security pros or “whitehat” hackers would be willing to risk life in prison to do the kind of testing for vulnerabilities that might help make cars more secure?
It would be a shame if poorly crafted laws making car hacking illegal ended up making us all less safe.
Mark
Just what we need. Another law preventing people who actually care about going to prison from doing what they need to do. Do you think Charlie and Chris would have been able to find the hole they found if it were punishable by life in prison? Lawyers are so out of touch…
dan brooks
It’s kinda laughable to think that this will deter anyone.. If anything it’s going to piss hacker’s off so much they will be crashing autonomous cars and acivating the electrinic accelerator in cars to the point where mass casualties occur. And the funniest part is they still will cover their tracks. The government is just afraid AND the fear will destroy whats left of this god forsaken shit hole
GS
So they create a car that’s easy to hack (for those in the know) and instead of fixing the / a flaw they decide to imprison the hackers for exploiting it. That’s kind of like saying “We’ve invented a cure for cancer”, someone else finding out that the cure will actually kill you, but to keep them quiet they say if you attempt to find the obvious flaw you’ll be ‘removed’.
It’s the Flat Earth Society running amok again.
David Pottage
Hmm, so if I “hack my car” by fitting a big throaty exhaust, low profile tires or upgraded suspension, then I am a law abiding car enthusiast, but if I use my laptop to remap my ECU (Without paying the maker for the privilege), then I am a despicable felon and I should get a longer sentence than the one for rape?
Makes perfect sense… but only in twisted world of lawmakers who don’t understand computers!
Paul Ducklin
I think that tuning your own care might be a tough one to prosecure as “willfully destroying, damaging, impairing, altering, or gaining unauthorized control of the motor vehicle.”
I don’t imagine that the idea of the bill was to criminalise car hacking as if it were worse than sexual assault, not least because the maximum possible penalty is probably not the most likely one, so it might be fairer to describe the lawmakers as “ignorant of the law of unintended consequences” rather than as “twisted”.
(FWIW and AFAIK the sort of sexual assault commonly referred to as rape can be punished with a life sentence in the US.)
Mike
Unfortunately the idea behind this law isn’t well represented by the wording. Needs a rewrite.
M Thibault
Paul Ducklin: I think that tuning your own care might be a tough one to prosecure as “willfully destroying, damaging, impairing, altering, or gaining unauthorized control of the motor vehicle.”
Not at all. Tuning the ECU would easily fall under (sorry for the all-caps, I’m copying from the linked text of the actual document) “A PERSON SHALL NOT INTENTIONALLY ACCESS OR CAUSE ACCESS TO BE MADE TO AN ELECTRONIC SYSTEM OF A MOTOR VEHICLE TO WILFULLY … ALTER … THE MOTOR VEHICLE.”
It definitely needs reconsideration, and a lot more nuance. I’m not opposed to punishing people with malicious intent, but this easily captures car enthusiasts and security researchers under it too. Hell a researcher is doing literally everything the bill criminalizes.
Bug bounty programs from the manufacturers are a better solution. If they hire in-house engineers to do testing themselves, along with a bounty program, all the better.
Paul Ducklin
+1
ITGUY
GREAT IDEA!
So, all we need to do is put a note on guns to state that ‘using this device to intentionally kill , maim or injure people will result in…’ and in a similar way, we will stop the criminal element from using them for that purpose.
So easy!
Laurence Marks
Duck wrote “I think that tuning your own care might be a tough one to prosecure as ‘willfully destroying, damaging, impairing, altering, or gaining unauthorized control of the motor vehicle.'”
Umm, Duck, wouldn’t tuning your car be “altering…the motor vehicle?”
Now, admittedly there are reasons to caution against it.
1) Could increase emissions as well as performance.
2) Could unknowingly compromise the safety of the driver and others.
But they shouldn’t be considered in the same light as hacking.
Paul Ducklin
Maybe. Perhaps I read too much into the “wilful” and “unauthorised” part for a vehicle you owned yourself. Anyway, as the OP pointed out, this is all about that “law of unintended consequences.” Ironic, perhaps, that the regulators have also required motor manufacturers to open up access to allow a certain degree of “car hacking” vua the mandatory OBD (on-b oard diagnostics port), specifically to provide some protection against anti-competitive behaviour…yet that OBD has itself led to security concerns:
https://nakedsecurity.sophos.com/2015/01/20/cheaper-car-insurance-dongle-could-lead-to-a-privacy-wreck/
Jim
I agree with the author of the law that something is needed, but the wording of his law is pretty harsh. If he wants it to survive a court challenge, there needs to be pieces that allow legitimate changes by owners and by authorized (by the OWNER, not the car company) security researchers.
Stewart F Gwyn (@NorthlakeRG)
Somehow this article missed S.527 (CISA) that provides immunity for these activities.