The Internet of Things (“IoT”) refers to the sending and receiving of data by everyday objects that are connected to the internet, such as cameras, security systems, fitness bracelets, and so-called “smart” refrigerators, thermostats, and televisions. It has been estimated that there will be 25 million connected devices by the end of 2015, over 3 times the world’s population. In recent years, it has become increasingly alarming that the hacking of such interconnected devices puts lives at risk. Just recently, we became aware of how vulnerable more modern vehicles are to hacking when Wired reporter Andy Greenberg was driving on the highway when the air conditioning, radio, windshield wipers, and accelerator operated without his involvement, and he could not override the operations. The hackers believe there are about a half a million vulnerable automobiles. A document released at Black Hat’s network security conference analyzes different car makes and models for vulnerabilities. (You can look up your own vehicle in the study.)
Last month, Senators Edward Markey (D-Mass.) and Richard Blumenthal (D-Conn.) introduced legislation that would require federal standards to secure motor vehicles and protect drivers’ privacy. The proposed legislation, titled the Security and Privacy in Your Car (SPY Car) Act, would require that all vehicles manufactured in the US be “equipped with reasonable measures to protect against hacking attacks.” The proposed bill provides that “[a]ny motor vehicle that presents an entry point shall be equipped with capabilities to immediately detect, report and stop attempts to intercept driving data or control the vehicle.” Vehicles must go through security evaluations that uncover vulnerabilities, including the use of hackers that test the security of the vehicle’s systems. Privacy provisions are also included in the proposed legislation, somewhat similar to the privacy notices that financial institutions are required to provide to their customers.
While awaiting federal cybersecurity regulation to pass, the safety of internet-connected objects, such as modern vehicles, can be addressed by state tort law currently in effect. The manufacturer of any internet-connected device should consider and address the safety and security of the end-users due to the seriousness of cybersecurity threats.