A US senator, Edward J Markey (D-Mass) a member of the Commerce, Science and Transportation Committee, has released a report Tracking & Hacking: Security & Privacy Gaps Put American Drivers says it shows huge vulnerabilities from the communications technologies in today’s automobile, and he says standards are needed to plug security and privacy gaps.
In December 2013, Markey wrote to 20 US auto manufacturers requesting information about how consumers are protected from cyber attack or unwarranted violations of privacy.
“As vehicles become more integrated with wireless technology, there are more avenues through which a hacker could introduce malicious code, and more avenues through which a driver’s basic right to privacy could be compromised,” Markey said. “These threats demonstrate the need for robust vehicle security policies to ensure the safety and privacy of our nation’s drivers.”
His report is based on their responses, which, he says, “show a vehicle fleet that has fully adopted wireless technologies like Bluetooth and even wireless Internet access, but has not addressed the real possibilities of hacker infiltration into vehicle systems”
The report also details the widespread collection of driver and vehicle information, without privacy protections for how that information is shared and used.
“Drivers have come to rely on these new technologies, but unfortunately the automakers haven’t done their part to protect us from cyber-attacks or privacy invasions,” Markey says.
“Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected. We need to work with the industry and cyber-security experts to establish clear rules of the road to ensure the safety and privacy of 21st-century American drivers.”
In November 2014, UAS automobile manufacturers agreed to a voluntary set of privacy principles in an attempt to address some of these privacy concerns. Markey said the principles were an important first step but fell short in a number of key areas by not offering explicit assurances of choice and transparency.
The report lists the key findings from automakers responses to its questions as being:
- Nearly 100 percent of cars on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.
- Most automobile manufacturers were unaware of or unable to report on past hacking incidents.
- Security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across all automobile manufacturers, and many manufacturers did not seem to understand the questions posed by Senator Markey.
- Only two automobile manufacturers were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real-time, and most say they rely on technologies that cannot be used for this purpose at all.
- Automobile manufacturers collect large amounts of data on driving history and vehicle performance.
- A majority of automakers offer technologies that collect and wirelessly transmit driving history data to data centres, including third-party data centres, and most do not describe effective means to secure the data.
- Manufacturers use personal vehicle data in various ways, often vaguely to “improve the customer experience” and usually involving third parties, and retention policies – how long they store information about drivers – vary considerably among manufacturers.
- Customers are often not explicitly made aware of data collection and, when they are, they often cannot opt out without disabling valuable features, such as navigation.