As automobiles become increasingly connected, security and privacy gaps are rearing their heads when it comes to cars and trucks. New standards are needed to plug the oversights and prevent hackers from driving away with vehicle control and personal information, according to a report from Sen. Edward J. Markey (D-Mass.).
Sixteen major automobile manufacturers responded to questions from Senator Markey in 2014 about how vehicles may be vulnerable to hackers, and how driver information is collected and protected. The results were not positive: The lawmaker’s report shows a vehicle fleet that has fully adopted wireless technologies like Bluetooth and even wireless internet access, without addressing the real possibilities of hacker infiltration into vehicle systems. Also, there is overwhelming potential for the widespread collection of driver and vehicle information, since few automakers have implemented privacy protections for how that information is shared and used.
“The ability of smart cars to put us at risk is just a small part of the larger trend towards everything in our lives becoming computer controlled and networked,” Lance Cottrell, chief scientist at Ntrepid, commented via email. “Some of these have the ability to violate our privacy, while others have the possibility of harming us physically or damaging critical infrastructure. Automakers, like most other companies involved in the Internet of Things, are primarily focused on ‘cool’ capabilities with security being an afterthought at best.”
Senator Markey posed his questions after studies showed how hackers can get into the controls of some popular vehicles, causing them to suddenly accelerate, turn, kill the brakes, activate the horn, control the headlights, and modify the speedometer and gas gauge readings. Additional concerns came from the rise of navigation and other features that record and send location or driving history information.
The results of the queries around hacking identified four trends. First, nearly 100% of the vehicles on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions. And, most automobile manufacturers were unaware of or unable to report on past hacking incidents. Also, security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across the different manufacturers. And finally, only two automobile manufacturers were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real-time, and most said they rely on technologies that cannot be used for this purpose at all.
The second part of the report deals with privacy. It was uncovered that features like navigation are quietly recording and sending out our personal and driving history.
For one, automobile manufacturers collect large amounts of data on driving history and vehicle performance. And a majority of automakers offer technologies that collect and wirelessly transmit driving history information to data centers, including third-party data centers, and most did not describe effective means to secure the information. Manufacturers use personal vehicle data in various ways, often vaguely to “improve the customer experience” and usually involving third parties. Retention policies – how long they store information about drivers – vary considerably among manufacturers.
Customers are often not explicitly made aware of data collection, and, when they are, they often cannot opt out without disabling valuable features, such as navigation.
Automakers need to do part their part to protect drivers from cyber-attacks or privacy invasions, said Markey, who is also a member of the Commerce, Science and Transportation Committee. “Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected. We need to work with the industry and cyber-security experts to establish clear rules of the road to ensure the safety and privacy of 21st-century American drivers.”
The process won’t be an easy one however. “Computer software companies have long known of the importance of releasing frequent patches to address security,” Cottrell said. “No one wants to have to regularly patch their cars. Car software updates could be automated, but unless the process is designed just right it could open up yet another avenue for attackers.”
Automobile manufacturers have agreed to a voluntary set of privacy principles in an attempt to address some of these privacy concerns. In a statement, Markey said that “the principles are an important first step, but they fall short in a number of key areas by not offering explicit assurances of choice and transparency.”
The findings are based on responses from BMW, Chrysler, Ford, General Motors, Honda, Hyundai, Jaguar Land Rover, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Toyota, Volkswagen (with Audi) and Volvo. Letters were also sent to Aston Martin, Lamborghini and Tesla, which did not respond.