Report: Automakers Fail To Protect Connected Cars From Security, Privacy Hacks

The newest models of connected cars come with everything from built-in navigation and entertainment systems to roadside assistance. While these features might make life behind the wheel a little easier, a new report found that not enough has been done to adequately protect those components from hackers.

The Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk report [PDF], released by Massachusetts Senator Ed Markey, is based on the responses of 16 major automakers about how vehicles may be vulnerable to hackers, and how driver information is collected and protected.

“These findings reveal that there is a clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle or against those who may wish to collect and use personal driver information,” the report states.

The manufacturers participating in the report include BMW, Chrysler, Ford, General Motors, Honda, Hyundai, Jaguar Land Rover, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Toyota, Volkswagen (with Audi), and Volvo. Letters were sent to Aston Martin, Lamborghini and Tesla, none of which responded.

According to the report, today’s cars and light trucks contain more than 50 separate electronic control units connected through a controller area network or other network. Vehicle functionality, safety and privacy all depend on the functions of these units, as well as their ability to communicate with one another.

Although such technological features can prove helpful to consumers, past tests conducted by manufacturers and industry groups have found the features also create vulnerabilities to hacking attacks that could be used to modify the operation of a vehicle.

Last year, in a Defense Department-funded test on a 2012 model American-made car, hackers demonstrated they could create the electronic equivalent of a skeleton key to unlock the car’s networks.

Markey’s report found that nearly 100% of vehicles on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusion.

While most companies were unaware of, or unable to report on, any past hacking incidents, the report found that security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across the different manufacturers.

Security experts consulted for the report say that hackers could get around most security protections currently cited by manufacturers.

In fact, only two automakers were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real-time, and most said they rely on technologies that cannot be used for this purpose at all.

Markey’s report also raised concerns about privacy, noting that automakers collect and use large amounts of driving data.

“Such information-gathering abilities can be used by automobile manufacturers to provide customized service and improve customer experiences, but in the wrong hands such information could also be used maliciously,” the report states.

The report found that most often customers are “not explicitly made aware of data collection and, when they are, they often cannot opt out without disabling valuable features.”

Manufacturers reported using such personal vehicle data information in various ways, often vaguely to “improve the customer experience.”

A majority of manufacturers reported storing driver data with third-parties.

A majority of manufacturers reported storing driver data with third-parties.

Twelve manufacturers reported they stored driving history information in some of their vehicles, depending on the features the vehicle is equipped with. Of those manufacturers eight said they transmit and store data in a server off-board the vehicle.

According to the report, these findings reveal that a majority of automakers transmit data to third parties. Additionally, most manufacturers did not describe effective means to secure the information.

While 19 auto manufacturers agreed to a voluntary set of privacy principles in an attempt to address some privacy concerns last fall, the report suggests those measures aren’t enough.

“These principles send a meaningful message that automobile manufacturers are committed to protection consumer privacy,” the report states. “However, the impact of these principles depend in part on how manufacturers interpret them, because the specific ways transparency will be achieved are unclear and may not be noticed by the consumer, the provisions regarding choice for the consumer only addressed data sharing and do not refer to data collection in the first place, and the guidelines for data use, security, and accountability largely leave these matters to the discretion of the manufactures.”

To ensure consumer data and vehicles are throughly safeguarded, Markey called on the National Highway Traffic Safety Administration and the Federal Trade Commission to create new standards to protect consumer data, security and privacy of drivers.

Such standards should:
• Ensure that vehicles with wireless access points and data-collection features are protected against hacking events and security breaches;
• Validate security systems using penetration testing;
• Include measures to respond in real-time to hacking events;
• Require that drivers are made explicitly aware of data collection, transmission and use;
• Ensure that drivers are given the option to opt out of data collection and transfer of driver information to off-board storage;
• Require removal of personally identifiable information prior to transmission, when possible and upon consumer request.

“Drivers have come to rely on these new technologies, but unfortunately the automakers haven’t done their part to protect us from cyber-attacks or privacy invasions. Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected,” Markey, a member of the Commerce, Science and Transportation Committee, said in a statement. “We need to work with the industry and cyber-security experts to establish clear rules of the road to ensure the safety and privacy of 21st-century American drivers.”

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.