No, the politicians in United States dont think so. If all things go according to these politicians, accessing an automobile’s computer systems or data without authorization may soon result in a six-figure fine in the US. According to a draft bill (pdf) proposed by the House Energy and Commerce Committee on Wednesday, the authorities can impose a civil penalty of up to $100,000 to any person who accesses “without authorization, an electronic control unit or critical system of a motor vehicle, or other system containing driving data for such motor vehicle, either wirelessly or through a wired connection.” The penalty would be applicable multiple times for each system accessed which means that if a researcher tries pentesting on multiple cars he/she would have to pay multiple fines. While the proposed legislation is clear about the penalty part, it is unclear who would need to grant “authorization” or what “access” even constitutes, based on the text of the bill. An interpretation that determined that authorization could only be granted by the manufacturer would have wide-ranging implications for tinkerers, researchers, and mechanics alike. Presumably, this interpretation could mean that a car owner can’t access her own driving data without permission from the manufacturer. Another possibility is that a non-dealership mechanic would need clearance to use certain diagnostic equipment on a car. The proposal to fine hackers for carjacking comes researchers have found security vulnerabilities in smart car computer systems. In July, two researchers revealed they were able to hijack a Jeep Cherokee wirelessly. In August, another researcher, Samy Kamkar was able to unlock and start OnStar equipped vehicles from GM. The bill also calls for the creation of national standards and guidelines on securing the technology and data in automobiles.
