Car hacking: Navigating the regulatory landscape

doi:10.1016/j.clsr.2015.12.019

Computer Law & Security Review

Volume 32, Issue 2, April 2016, Pages 307-315

https://doi.org/10.1016/j.clsr.2015.12.019 Get rights and content

Abstract

In the summer of 2015, two American hackers succeeded in hacking into a car and taking over vital functions such as the engine and the brakes. Although this had been done before, the new element of the hack was that it no longer required physical access to the car. The hack took place at a distance via the mobile telephone network. This is a worrying development. It raises the question whether automobile manufacturers are doing enough to counter cyber security threats and, if that is not the case, whether a regulatory intervention is necessary and, if so, how to fashion regulation.

Introduction

In July 2015, American hackers Mahassey and Rogers claimed to have hacked a Jeep Cherokee. They stated they could control vital functions of the car from a distance, i.e. via the mobile telephone network. To prove their claim, they convinced Wired journalist Andy Greenberg to drive their Jeep while the two hackers from the couch in their living room played tricks on the Jeep. While Mr. Greenberg was driving on a highway, the hackers put the transmission in neutral, leaving the Jeep and its occupant rather helpless in a stream of fast moving traffic. It does not require much imagination to understand what the potential of cyber vulnerabilities in cars is when falling in the wrong hands.

The new technical development that allows this type of hack is that the internal ICT networks of cars increasingly become wirelessly connected to the outside world. Therewith, cyber security has become an issue for automobiles. In policy documents, much attention has been paid to cyber security of vital infrastructures,¹ but automobile cyber security has not received much attention to date. Even though no road ‘accident’ has occurred because of a failure of automobile cyber insecurity, the potential consequences for the transportation infrastructure and for individuals involved in accidents are large. This article contends that prevention of accidents should receive more attention and that code is an important part of the solution: technically, cars should possess sufficient resistance against hacks. The task to realize this falls on the shoulders of manufacturers. This raises the question whether manufacturers should take up this task voluntarily or that regulation is needed to safeguard automobile cyber security and, if so, what kind of regulation would be needed.²This is the central question of this article.

The outline of this article is as follows. In the second section, the relevant technology is clarified for as far as necessary for understanding the rest of the article. The third section addresses the need for regulation. The fourth section describes a bill that has been tabled by two senators in the US. Furthermore, the section develops first thoughts about how regulation could be set up.

Legal issues will be dealt with according to EU law, unless indicated otherwise.

Section snippets

The problem technically

In the past decennia, vehicle automation has increased significantly. Almost all mechanical components in a modern car are controlled by electronic control units (hereinafter ECU). These are little computers controlling every aspect of the functioning of the pertinent mechanical part. There are ECUs for engine management, for the braking system, for the transmission, for the locking system, etc. These ECUs are interconnected by networks, for example, a CAN bus.³

The need for regulation

It is clear that car hacks are potentially dangerous. Hacking is not unregulated. The perpetrators of malicious hacks most probably commit offences criminalized through the Convention of Cybercrime (hereinafter CoC) and the Directive on attacks against information systems (hereinafter Dir AIS).¹⁰

Regulation

This section examines how cyber security threats in the automotive domain may be countered through regulation. Regulation of cyber security is no sinecure, and this section will identify a number of open research questions. First, a bill introduced by two US senators will be described that introduces a number of cyber security standards for automobile manufacturers. The bill can help identifying topics that may need to be addressed in European legislation. Secondly, the question is addressed

Conclusion

Recent hacks have shown that technically, cars can be the object of cyber security threats. This raises the question whether regulation is needed and, if so, how to regulate automotive cyber security. With respect to the first question, this article finds that the functionalities that allow hacks have beneficial uses. These include uses that European policymakers embrace to address societal problems like congestion resolution and environmental protections. Furthermore, it is clear that current

References (0)

Cited by (0)

View full text