Most cars now contain sophisticated electronic control units to collect vehicle data and improve performance, and nearly all also have wireless entry points that could act as a gateway for hackers. The result is that almost all the cars on the market today are vulnerable to “hacking or privacy intrusions” while most automobile manufacturers are unaware of or unable to report on past hacking incidents, says Sen. Edward Markey, D-Mass.
Today’s cars and light trucks typically contain more than 50 electronic control units that are part of a network in the car. At the same time, nearly all new cars on the market today include at least some wireless entry points to these computers, such as tire pressure monitoring systems, Bluetooth, Internet access, key-less entry, remote start, navigation systems, WiFi, anti-theft systems and cellular-telematics, notes a report written by the senator’s office.
Prompted by earlier studies on some vehicles which showed how hackers can access the controls of some popular vehicles, causing them to suddenly accelerate, turn, de-activate brakes, activate the horn, control headlights, and modify the speedometer and gas gauge readings, Senator Markey’s staff asked automakers a series of questions about the technologies as well as any safeguards against hackers built into their vehicles. They also asked how the information that vehicle computers gather and transmit is protected.
When it comes to wireless connectivity and Internet access in today’s vehicles, the responses from 16 automotive manufacturers “reveal there is a clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle or against those who may wish to collect and use personal driver information,” according to the report.
Furthermore, manufacturers now collect large amounts of data on driving history and vehicle performance and distributing it to third parties—while offering little information on how the data is used, how it’s stored or for how long, says Markey, who also is a member of the Senate’s commerce, science and transportation committee. Consumers often aren't explicitly made aware of data collection and, when they are, they often can’t opt out without disabling valuable features, such as navigation, he says.
“Drivers have come to rely on these new technologies, but unfortunately, the automakers haven’t done their part to protect us from cyber-attacks or privacy invasions. Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected,” says Markey. “We need to work with the industry and cyber-security experts to establish clear rules of the road to ensure the safety and privacy of 21st-century American drivers.”
Last November, two auto manufacturing trade groups, the Alliance of Automobile Manufacturers and the Association of Global Automakers, released a joint statement setting out voluntary privacy protection principles for the industry. Among their suggestions was a call for automakers to collect information “only as needed for legitimate business purposes.” Markey says the protections fell short in a number of key areas by not offering explicit assurances of choice and transparency.
However, the Association of Global Automakers now says the responses provided to Markey are many months old and don’t reflect extensive discussions between the industry and federal technology experts aimed to improve the industry’s understanding of cyber-threats.
Nonetheless, the probe by Markey’s staff and the replies from auto manufacturers do show there is growing concern about, and room for improvement in, the security of increasingly connected cars and trucks. Do you think concerns about security and consumer privacy will lead to increased security in the wireless devices used in cars and trucks? If so, what impact will it have on the automotive industry?