Site icon Sophos News

Car hackers could get a life sentence under proposed anti-hacking law

Hacking a car in Michigan could become a felony with a life sentence, if proposed legislation introduced last week becomes law in the home state of the US auto industry.

The proposed legislation, Senate Bill 927, would make it illegal for any person to access an electronic system of a motor vehicle to “willfully destroy, damage, impair, alter, or gain unauthorized control” of the vehicle:

A person shall not intentionally access or cause access to be made to an electronic system of a motor vehicle to willfully destroy, damage, impair, alter, or gain unauthorized control of the motor vehicle.

A second proposal, Senate Bill 928, would amend Michigan’s criminal code for hacking, making life in prison the maximum sentence for hacking a car.

No other violation listed in the state’s anti-hacking law carries a life sentence.

Michigan State Senator Mike Kowall, who introduced the legislation, said the penalty for car hacking needs to be severe because of the risks to physical safety, according to the Automotive News.

Of course, hackers could put drivers in danger if they take control of a vehicle’s steering, brakes or acceleration – and that’s not exactly a far-fetched scenario.

The FBI and the US National Highway Traffic Safety Administration recently issued a warning for drivers to be aware of the risks to connected cars.

And although we are yet to hear about cars being hacked maliciously, hackers have demonstrated the possibilities in controlled situations.

Last summer, security researchers Charlie Miller and Chris Valasek made headlines when they remotely hacked a Jeep through the vehicle’s connected entertainment system, demonstrating in a video how they could turn off the Jeep’s engine and steer the vehicle off the road.

The security flaw Miller and Valasek discovered affected 1.4 million Fiat Chrysler vehicles, which had to be recalled for a security patch.

Other researchers have exposed software flaws in Tesla vehicles, poked security holes in remote starter apps for multiple car makers, and tricked keyless entry systems into unlocking cars.

Given the obviously serious security issues in modern, computerized cars, it’s probably a good idea to have legislation penalizing malicious vehicle hacking.

Michigan Senator Kowall said he wants to pass a law banning car hacking now, “as opposed to waiting for something bad to happen,” Automotive News reported:

Some of these people are pretty clever. As opposed to waiting for something bad to happen, we’re going to be proactive on this and try to keep up with technology.

But the proposed legislation could have some unintended consequences – for security researchers, or people who merely wish to drive their own vehicles.

Miller, who works for Uber as head of its self-driving car research team, said on Twitter that simply steering a vehicle means you have to access an electronic system and “willfully alter the motor vehicle.”

Miller readily admits that he is not a lawyer.

But policy experts had similar concerns about wording in legislation introduced in the US Senate last year that would have made it illegal to access a vehicle’s computers “without authorization.”

Some car makers have argued that the Digital Millennium Copyright Act makes it illegal for drivers to inspect or alter the code in their own vehicles.

Other car makers like Tesla and General Motors are creating bug bounty programs that would reward hackers for reporting vulnerabilities.

How many security pros or “whitehat” hackers would be willing to risk life in prison to do the kind of testing for vulnerabilities that might help make cars more secure?

It would be a shame if poorly crafted laws making car hacking illegal ended up making us all less safe.


Exit mobile version