Skip to main content

Michigan is considering criminalizing vehicle hacking, which is a bad idea

Could discourage well-meaning security research

Share this story

Secure Laptop Hacking Story

Hacking into a vehicle's electronic system or exploiting its internal bugs would be punishable for some offenders by life in prison under legislation recently introduced in the Michigan Senate, according to Automotive News. The Republican-sponsored bills are an attempt to heighten regulation on the state's emerging connected and autonomous vehicle industry, but it could end up discouraging well-meaning security researchers from finding potentially dangerous bugs in vehicle systems.

"The potential for severe injury and death are pretty high"

Mike Kowall, the Senate majority floor leader and prime sponsor of the bills, told Automotive News that the penalty was so steep because the stakes of car hacking, in which attackers could remotely take control of a vehicle's transmission, brakes, and even steering, were so huge. "I hope that we never have to use it," Kowall said of the possible life sentence. "That's why the penalties are what they are. The potential for severe injury and death are pretty high."

Under the bill, hackers would only be sentenced to life in prison if they already have three felony convictions. Still, the idea of sending someone to die in prison for the crime of exploiting a vehicles' internal weakness may strike some as excessive, especially those in the security research community — so-called "white hat" hackers who make a profession out of looking for vulnerabilities and reporting them to companies.

There is a long history of researchers being sent to prison for doing this. Dmitry Sklyarov was a Russian programmer arrested by the FBI during a security conference in Las Vegas, where he was discussing a program to decrypt Adobe ebook files. Sklyarov was the first person to be criminally charged under the Digital Millennium Copyright Act (DMCA), though Adobe later dropped all charges against him.

the best people to stop hacks from happening are the hackers themselves

Lawmakers argue that their proposals are only intended to target malicious hackers. But the notion that car companies will be able to find all the bugs in their systems, especially as cars become more reliant on internal computers, seems far fetched. Tech companies in Silicon Valley, and even a few car and ride-sharing companies, have taken to hosting bug bounties, in which hackers can earn big bucks for finding flaws in the code. The implicit understanding is that the best people to stop hacks from happening are the hackers themselves.

The automotive industry has been on edge about security since last year, when Wired published a widely read report detailing an open vulnerability in Chrysler's UConnect system, allowing attackers to take control of certain parts of the vehicle. And last February, security researchers uncovered a bug in the companion app to the electric Nissan Leaf that could allow anyone to retrieve drivers’ trip histories, as well as manipulate the vehicles' heating and air conditioning systems.

While the states consider their own solutions, the US Senate is mulling a bill to require the auto industry to adopt standards to protect drivers' privacy and prevent potentially deadly hacks. And the National Highway Traffic Safety Administration, under the US Department of Transportation, is currently developing template legislation for states to adopt to regulate the emerging self-driving car industry. The goal is to prevent states from adopting a "patchwork" of laws that ultimately stifle innovation, much like Michigan appears to be doing right now.