Report: wireless technologies leave vehicles exposed to hackers

New standards are needed to plug security and privacy gaps in cars and trucks, according to a report by US Senator Edward J. Markey. The report, Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk and first reported on by CBS News’ 60 Minutes, reveals how sixteen major automobile manufacturers responded to questions from Markey in 2014 about how vehicles may be vulnerable to hackers, and how driver information is collected and protected.

The responses from the automobile manufacturers show a vehicle fleet that has fully adopted wireless technologies like 1835 Bluetooth and even wireless internet access, but has not addressed the real possibilities of hacker infiltration into vehicle systems. The report also details the widespread collection of driver and vehicle information, without privacy protections for how that information is shared and used.

The first part of the report addresses security, or how modern technologies open doors to hackers. When Markey asked the automakers about the different technologies and the ways they safeguard the technologies from infiltration, he found four trends:

Nearly 100 per cent of vehicles on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions; Most automobile manufacturers were unaware of or unable to report on past hacking incidents; Security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across the different manufacturers; Only two automobile manufacturers were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real-time, and most said they rely on technologies that cannot be used for this purpose at all.

The second part of the report deals with privacy. Features like navigation are quietly recording and sending out our personal and driving history. The Markey report reveals four key findings on privacy: Automobile manufacturers collect large amounts of data on driving history and vehicle performance; A majority of automakers offer technologies that collect and wirelessly transmit driving history information to data centres, including third-party data centres, and most did not describe effective means to secure the information; Manufacturers use personal vehicle data in various ways, often vaguely to ‘improve the customer experience’ and usually involving third parties and retention policies – how long they store information about drivers – vary considerably among manufacturers; Customers are often not explicitly made aware of data collection and, when they are, they often cannot opt out without disabling valuable features, such as navigation.

“Drivers have come to rely on these new technologies, but unfortunately the automakers haven’t done their part to protect us from cyber-attacks or privacy invasions. Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected,” said Senator Markey, a member of the Commerce, Science and Transportation Committee. “We need to work with the industry and cyber-security experts to establish clear rules of the road to ensure the safety and privacy of 21st-century American drivers.”

Markey posed his questions after studies showed how hackers can get into the controls of some popular vehicles, causing them to suddenly accelerate, turn, kill the brakes, activate the horn, control the headlights and modify the speedometer and gas gauge readings. Additional concerns came from the rise of navigation and other features that record and send location or driving history information. He wanted to know what automobile manufacturers are doing to address these issues and protect drivers.

In November 2014, the automobile manufacturers agreed to a voluntary set of privacy principles in an attempt to address some of these privacy concerns. In a statement, Senator Markey stated that the principles are an important first step, but they fall short in a number of key areas by not offering explicit assurances of choice and transparency.

The findings are based on responses from 1731 BMW, 1958 Chrysler, 278 Ford, 948 General Motors, 1683 Honda, 1684 Hyundai, 3883 Jaguar 7999 Land Rover, 1844 Mazda, 1685 Mercedes-Benz, 4962 Mitsubishi, 838 Nissan, 1656 Porsche, 7994 Subaru, 1686 Toyota, 994 Volkswagen (with 2125 Audi), and 609 Volvo. Letters were also sent to 7996 Aston Martin, 7997 Lamborghini, and 597 Tesla Motors, which did not respond.