Total Recall: Chrysler’s “Internet of Things” adventure
In its press statement about the recall, Chrysler offered the following list of vehicles that may be affected:
- 2013-2015 MY Dodge Viper specialty vehicles
- 2013-2015 Ram 1500, 2500 and 3500 pickups
- 2013-2015 Ram 3500, 4500, 5500 Chassis Cabs
- 2014-2015 Jeep Grand Cherokee and Cherokee SUVs
- 2014-2015 Dodge Durango SUVs
- 2015 MY Chrysler 200, Chrysler 300 and Dodge Charger sedans
- 2015 Dodge Challenger sports coupes
A bill recently introduced by Sens. Edward Markey (D-Mass.) and Richard Blumenthal (D-Conn.), The Security and Privacy in Your Car (SPY Car) Act, seeks to set minimum cybersecurity standards for automobiles and direct the National Highway Traffic Safety Administration to establish minimum security levels for any vehicle software in contact with physical driving controls. The bill would further require that cars be designed with certain security principles to prevent, detect, and block attacks.
Internet-connected cars are likely the highest-profile "Internet of Things" devices. Such devices or “things” are devices or sensors – other than computers, smartphones, or tablets – that connect, communicate or transmit information with or between each other through the Internet. Currently, there is more than 3.5 times the number of devices connected to the Internet (approximately 25,000,000,000) than people in the world (approximately 7,000,000,000). The number of connected devices will continue to grow as consumer goods companies, auto manufacturers, healthcare providers, and other businesses continue their heavy investment in connected devices.
The potential for cars to be hacked was addressed in a January 2015 FTC report noting the benefits of a more connected world, but also providing a series of "concrete steps that businesses can take to enhance and protect consumers’ privacy and security." To briefly summarize, per the FTC and its panel of experts, businesses developing Internet of Things devices should:
- Build security into devices at the outset, rather than as an afterthought in the design process
- Train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization
- Ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers
- When a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk
- Consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network
- Monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks
In addition, the FTC counsels that businesses adopt policies of "data minimization – ... limiting the collection of consumer data, and retaining that information only for a set period of time, and not indefinitely." In the FTC's view, such policies will make companies with large amounts of consumer data less attractive targets for hacking and make it less likely that consumer data will be used for improper purposes. Moreover, when consumer data is used beyond a consumer's "reasonable expectations" the FTC counsels that consumer notices be provided.
One can expect increased scrutiny from multiple federal regulators about the risk for unauthorized access or misuse of personal information obtained through a connected device; infiltration and destruction of networks (both wired and cloud-based); and, the hijacking of cars and similar devices to violate an individual's privacy. And, unfortunately, the only thing that may keep pace with the growth of Internet of Things devices is the expanding number of lawsuits, enforcement actions, and complaints that will likely result from such incursions.