August 23, 2019—United States Senators Ed Markey and Richard Blumenthal today wrote the National Highway Traffic Safety Administration (NHTSA) to ask if carmakers have reported the cybersecurity vulnerabilities in their Internet-connected cars and what steps NHTSA is taking to address the problem.
The senators called for the answers in response to Consumer Watchdog's recent report, "Kill Switch: How Connected Cars Can Be Killing Machines and How to Turn Them Off." The report, prepared with the help of car industry technologists, found that all the top 2020 cars have Internet connections to safety-critical systems that leave them vulnerable to fleet-wide hacks.
"According to a recent report, companies such as BMW, Daimler Chrysler, Ford, General Motors, and Tesla have acknowledged the dangers of internet-connected cars to their investors and shareholders, but have not disclosed these same risks to the public at large," Senators Markey and Blumenthal wrote to NHTSA Deputy Administrator Heidi King. "We are concerned that consumers are purchasing internet-connected vehicles without sufficient safety warnings and write to inquire about NHTSA's knowledge of any cyber vulnerabilities, as well as what actions NHTSA is taking to address these issues."
"We are concerned by the lack of publicly available information about the occurrence and handling of cyber vulnerabilities in internet-connected cars, and believe that NHTSA should be aware of these dangers in order to take possible regulatory action," Markey and Blumenthal wrote to King.
The senators asked the following questions:
- Has NHTSA ever been notified of malicious hacking attempts against or vulnerabilities in internet-connected cars, such as those identified in Ford's statements to investors?
- If NHTSA was notified of any such attempts, what actions did NHTSA take in response to the information? If no action was taken, why not?
- Further, if NHTSA was notified, why was the public not informed of the cyber risks to any vehicles they already owned or were considering purchasing?
- What actions has NHTSA taken, and what actions does NHTSA plan to take, in order to address the cyber vulnerabilities and public safety risks created by the increasing number of internet-connected cars on U.S. roads?
- Does NHTSA have a formal process in place to receive reports of hacking or vulnerabilities in internet-connected cars?
- In the event of a cyber incident or vulnerability involving the security of an internet-connected car, what entity would be expected to provide public disclosure? Would that public disclosure be legally required?
Markey and Blumenthal asked for a written response from King by September 13.
