A report released on Monday by US Senator Edward Markey has confirmed what we already suspected: automobile manufacturers have yet to effectively deal with the threat of hackers penetrating vehicle systems, and the driver and vehicle information they collect and share is not adequately protected.
“Drivers have come to rely on these new technologies, but unfortunately the automakers haven’t done their part to protect us from cyber-attacks or privacy invasions. Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected,” said Senator Markey, a member of the Commerce, Science and Transportation Committee.
The report, based on responses from BMW, Chrysler, Ford, General Motors, Honda, Hyundai, Jaguar Land Rover, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Toyota, Volkswagen (with Audi), and Volvo, has revealed that:
- Nearly 100 percent of vehicles on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.
- Most automobile manufacturers were unaware of or unable to report on past hacking incidents.
- Security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across the different manufacturers.
- Only two automobile manufacturers were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real-time, and most said they rely on technologies that cannot be used for this purpose at all.
- Automobile manufacturers collect large amounts of data on driving history and vehicle performance.
- A majority of automakers offer technologies that collect and wirelessly transmit driving history information to data centers, including third-party data centers, and most did not describe effective means to secure the information.
- Manufacturers use personal vehicle data in various ways, often vaguely to “improve the customer experience” and usually involving third parties, and retention policies – how long they store information about drivers – vary considerably among manufacturers.
- Customers are often not explicitly made aware of data collection and, when they are, they often cannot opt out without disabling valuable features, such as navigation.
Aston Martin, Lamborghini, and Tesla did not respond to the letters sent out by the Senator.
The results of the report were published mere days after Dan Kaufman, a researcher at the US’ military’s Defense Advanced Research Projects Agency (DARPA), demonstrated for CBS how he can hack the OnStar system embedded in the latest generation of General Motors’ Chevrolet Impala.
He managed turn on the windshield wipers and the pump for the windshield fluid, honk the horn and, most important of all, make the car’s brakes and throttle no longer respond to the driver’s instructions.
This is not the first time that car hijacking has been demonstrated. In July 2013, researchers Charlie Miller and Chris Valasek showed how they can take control of a Ford Escape and the Toyota Prius by hacking into the vehicle’s on board system. Their research was also sponsored by DARPA.