Automakers stumped: Report says hackers can hijack almost any car
Sen. Ed Markey (D-Massachusetts) is calling on the world’s automobile makers to implement mandatory safeguards after his congressional inquiry revealed a widespread absence of security and privacy protection with regards to cars currently being sold around the world.
Security that could curb hacking against automobiles or allow sensitive information to be compromised must be put in place by the auto industry, Markey’s office warns in the report published Monday, and current protection, when it’s brought to bear, is largely inconsistent.
The report warns modern automobiles are increasingly collecting sensitive information about personal driving habits and history, which is often held indefinitely and then offered to third-parties, in turn allowing companies the ability to keep detailed information about not just car performance, but also where a driver has traveled.
“Drivers have come to rely on these new technologies, but unfortunately the automakers haven’t done their part to protect us from cyber-attacks or privacy invasions. Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected,” Sen. Markey, a member of the Commerce, Science and Transportation Committee, said in a statement on Monday. “We need to work with the industry and cyber-security experts to establish clear rules of the road to ensure the safety and privacy of 21st-century American drivers.”
Markey’s team considered studies by the Pentagon’s Defense Advanced Research Projects Agency (DARPA) in 2013 and 2014 in preparing the report, and sent questionnaires to 20 automakers inquiring about each manufacturer’s technology, security precautions and privacy policies.
Only 16 of the automakers responded, according to this week’s report, but their answers were enough to leave Sen. Markey’s office issuing a plea for car companies to increase security measures concerning the cars’ increasingly advanced technologies and privacy protections for the data it records.
“These findings reveal that there is a clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle, or against those who may wish to collect and use personal driver information,” a portion of the report reads.
According to Sen. Markey’s office, the answers supplied by automakers suggested that nearly 100 percent of cars currently on sale include wireless technology that pose hacking vulnerabilities or privacy intrusions, yet most manufacturers were unaware of previous incidents in which critical components of certain cars were completely compromised by malicious hackers.
“Only two automobile manufacturers were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real-time, and most say they rely on technologies that cannot be used for this purpose at all,” the report found.
"Look how many of the last year's recalls related to electronic issues ... it's not going to be that far along — whole generations of vehicles — that could be vulnerable ... it's not sci-fi," Sean Kane, president of the Massachusetts-based Safety Research and Strategies, told The Detroit News.
Even the latest models available for sale, Kane told the paper, use imperfect technology that can be exploited and become a "wide open door" to hackers.
Additionally, the ever-increasing collection of car data raised concerns in the senator’s office. Half of all cars sold today transmit and store data off-board, the report found, yet largely absent are safeguards or sound privacy practices to keep that information from ending up in unintended hands.
“Customers are often not explicitly made aware of data collection and, when they are, they often cannot opt out without disabling valuable features, such as navigation,” his office determined.
If data collection is not disabled, the report warns, third-party companies can obtain that information and potentially use it for any reason of their choosing.
Two major automobile coalitions, the Alliance of Automobile Manufacturers and the Association of Global Automakers, recently adopted voluntary privacy principles in order to keep sensitive information from wrongly being used. According to the report, though, this effort “provides little tangible assurances that consumers will not disapprove of the ways in which manufacturers use their sensitive information.”
Gordon Trowbridge, a spokesperson for the National Highway Traffic Safety Administration, told Detroit News that regulators will consider recommendations for enhanced protections as they remain "engaged in an intensive effort to determine potential security vulnerabilities related to new technologies."