Report: Connected Cars Have Weaker Security Than We Thought
If you drive a vehicle manufactured within the last year or so, chances are it’s part of the Internet of Things. These connected cars offer technological conveniences such as safety components, hands-free phone calls and messaging, and GPS-powered directions.
But with those features come some risks. The Wi-Fi, Bluetooth, and cellular connections in these cars can fall prey to hacking attacks, which can jeopardize people’s physical safety and private information—and the security is pretty lax.
A report released February 9 by Massachusetts Senator Edward Markey shows that nearly 100 percent of cars on the market today include wireless technologies that could pose vulnerabilities to hacking, and most automobile manufacturers are unaware of or failed to report security attacks.
Markey’s office surveyed sixteen major automakers, quizzing them on their cars’ security and privacy measures. Responses show that protection is “inconsistent and haphazard” across the industry: Just two of the companies reported that they have systems in place to fend off hacking attacks in real time, and only two confirmed they could remotely slow down or stop a vehicle under the control of a hacker.
Breaches that could impact a driver’s physical safety are a real concern, and hackers no longer need a direct connection to the vehicle to take over its systems. On a 60 Minutes episode February 8, the US government's Defense Advanced Research Projects Agency showed that it was able to hack General Motors' OnStar system to remotely control a Chevrolet Impala, including its braking and acceleration.
But Markey’s survey also found that many auto companies are collecting detailed data and personal information, such as geolocation and driver behavior, from their cars—and often transmitting it insecurely. Car companies store the data with little protection, sometimes in third-party data centers that may not have proper safeguards, and the auto industry has no consistent policy on how long they can keep the data or exactly what it can be used it for.
The auto industry has begun to realize that cohesive cyber-security regulations are becoming a necessity, and twenty-three major manufacturers issued their own set of privacy principles through the Alliance of Automobile Manufacturers and the Association of Global Automakers late last year. These voluntary initiatives say consumers will be informed when data collection occurs and given choices regarding how their information can be used.
However, Markey’s report says, “the principles continue to raise a number of questions regarding how car manufacturers will effectively make their practices transparent to consumers and provide consumers with rights to prevent sensitive data collection in the first place, among other concerns.”
In an emailed statement to Wired, Markey added, “We need to work with the industry and cyber-security experts to establish clear rules of the road to ensure the safety and privacy of 21st-century American drivers.”