Michigan Bill Would Give Life Sentence To Car Hackers, As Car Hacking Threat Grows

News
By Lucian Armasu
published

Nissan Leaf & NissanConnect app

Michigan Senators introduced a new bill last week that would make it a felony to “willfully destroy, damage, impair, alter, or gain unauthorized control” of a vehicle.

A second bill would amend Michigan’s criminal code for hacking, which would give car hacking a maximum sentence of life in prison. Car hacking would be the only anti-hacking law that carries a life sentence.

Apparently, what caught the senators’ attention was last year’s high profile hack of a Jeep Cherokee SUV by a couple of security researchers, who wanted to show that connected cars or future self-driving cars can be highly susceptible to hacking.

The FBI and the U.S. National Highway Traffic Safety Administration recently put out a warning for connected car drivers owners as well, saying that this type of vehicle is increasingly more vulnerable to remote exploits. Modern cars contain a growing number of computers called “electronic control units” (ECUs), which control everything from lights and windshield wipers to steering, braking and acceleration.

An increasing number of vehicle components are also controlled wirelessly, be it keyless entry, ignition control and tire pressure monitoring to diagnostic, navigation and entertainment systems.

This problem could become worse with self-driving cars, which will be completely operated by software and computers. Self-driving cars may end up eliminating car crashes that would normally happen through human error, but car hacking could be on the rise once there are millions of self-driving cars on the road.

Many of the car makers looking to jump into self-driving cars within the next few years are the same ones having their connected cars hacked today, or who up until recently weren’t even securing their over-the-air updates with encryption. Many of these car makers may not even be aware of the dangers they could be unleashing with their self-driving cars if they don’t take software security much more seriously.

The new Michigan bills may raise the punishment for car hacking, but it’s not a guarantee that it will be a strong deterrent against criminal hacking of cars. After all, there are many anti-hacking laws on the books today, but hacking seems to continue unabated. Further, many of the data breaches we see in the U.S. are done by hackers from outside of the country, where such state laws would be irrelevant.

To keep drivers safe in the future, car makers would not only have to excel at making car hardware, but also software. They will also need to ensure that their software has as few vulnerabilities as possible while increasing the security of all the car’s components.

Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu. 

Follow us on FacebookGoogle+, RSS, Twitter and YouTube.

Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
22 Comments Comment from the forums
  • Math Geek
    Wonder if they will attempt to apply this to normal "jailbreaking" type activities of car systems? all kinds of fun things to do with your Ford Sync system if you give it root access. Ford hates this ability and i wonder if they would try to go after owners who have done this to their own vehicles? that would be a huge leap from the intent but not far fetched at all....
    Reply
  • ssdpro
    In Michigan we show no mercy on someone who hacks a car and makes the Infotainment Center display the word "POOP". We however give free passes if you conspire with other lawmakers to poison entire communities.
    Reply
  • targetdrone
    So hack the keyless ignition system, go to jail for life. Hot-wire the thing the low tech way, go to jail for a few years. That won't hold up on appeal nor a trip to the Supreme Court.

    That said. Lets go old school with this. The punishment for gaining unauthorized control of a horse was hanging. Lets apply that to car thieves among others.
    Reply
  • targetdrone
    In addition we should flog manufactures and their engineers that think it's a great idea to connect the ECU to the internet. There is absolutely no reason to do that.
    Reply
  • Eximo
    I could cite lots of reasons why they might need to connect the bluetooth or LTE modem to the car's CAN bus, but it comes down to cost right now. Car's are getting fairly powerful CPUs and GPUs in the form of ARM based SOC, so I think we will see an increasing complexity which will allow for greater protection.

    The article is a bit misleading in the use of the term ECU, every modern car has one. This controls emissions and fuel injection and all kinds of things. Most cars also have a separate unit for windshield wipers, doors, locks, airbags, etc. Makes it easy to offer multiple engine classes on the same chassis without having to replace all the electronics on the car. Also that computer tends to be under the seat or dash so it is protected from engine bay damage.

    Ideally there needs to be third independent control module to separate the human interface from the self driving part. But then you have the wonderful question of how do you get those systems to communicate.

    Most CAN bus communications are already encrypted at the packet level, it just isn't that hard to learn, not crack, the master encryption polynomial for a set of hardware. Sometimes the passwords are freely available through a dealer's information or readily available from modding enthusiasts.
    Reply
  • dstarr3
    Wonder if they will attempt to apply this to normal "jailbreaking" type activities of car systems? all kinds of fun things to do with your Ford Sync system if you give it root access. Ford hates this ability and i wonder if they would try to go after owners who have done this to their own vehicles? that would be a huge leap from the intent but not far fetched at all....

    Cell phone manufacturers are getting better and better at making it impossible. No one's been able to root the AT&T variants of the Samsung S5/6/7 yet (which is why I'm still using my S4). Cell phones have the advantage of being... well, phones, and constantly being connected to towers, and there's a lot of security that can be reinforced that way. But suffice it to say, if cell phones have become nearly impossible to root as a nuisance, cars will certainly become unrootable by necessity.
    Reply
  • none12345
    Cars need a completely isolated WIRED(no wireless) network for their electronics. If its an isolated network, its not a problem.

    Once you start mixing in regular wifi with the cars internal system, you have a problem.
    Reply
  • Math Geek
    the supreme court ruled years ago that jailbreaking and rooting were perfectly legal activities so at least that part is covered. i am pretty sure the courts cited this when ford tried suing someone for hacking into it's sync system. that was thrown out last year i think it was. but this new law sure smells kind of funny to me. they do like to use a legitimate problem to spur a law that will be misused in a number of ways not intended when it was written.

    clearly taking over a car and crashing it or causing whatever other mayhem needs to be accounted for and should be illegal but this should be worded right to ensure simply rooting an infotainment system is not included :)
    Reply
  • Darkk
    The ECU that controls the vital parts of the car have no business being connected to the world. Over time encryption can be broken so better off to have hardware isolation of it's critical parts of the car such as brakes, steering and engine control.

    My bluetooth in my car is only connected to the radio unit and nothing else. So if it gets hacked no big deal. I just take the car in to have the firmware reflashed.


    Reply
  • targetdrone
    Cars need a completely isolated WIRED(no wireless) network for their electronics. If its an isolated network, its not a problem.

    Once you start mixing in regular wifi with the cars internal system, you have a problem.

    There were reasons why the water faucets and toilets were operated manually and why Adama would not allow the school teacher to setup some networked computers aboard the Galactica.

    These reason are also why Tom Cruz had to break sneak into the CIA HQ and gain physical access to the mainframe like he did.


    Reply