Auto manufacturers are increasingly equipping their vehicles with wireless technologies but have overlooked the part about including protections that will guard car owners against cyberattacks that hackers may launch on their systems.
These are the findings released by the office of Sen. Ed Markey (D-Massachusetts), whose staff conducted a study of 16 car companies and their security measures for protecting their customers against security breaches of their vehicles' electronic systems. Markey also inquired about what policies and practices car companies have in place on retrieving data from their customers through the various modes wireless transmission used in most new cars.
"Drivers have come to rely on these new technologies, but unfortunately the automakers haven't done their part to protect us from cyberattacks or privacy invasions," Markey says. "Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected."
The senator's report comes just after CBS News aired a 60 Minutes segment that showed how hackers were able to infiltrate a brand new car's systems. The segment showed the hackers successfully deactivating the brakes, sounding the horn, and turning on the windshield wipers all done from a remote location, while journalist Lesley Stahl was unable to do anything to stop the security breach.
Markey's report concludes that "there is a clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle or against those who may wish to collect and use personal driver information."
Among the report's findings is car companies' lack of awareness of or inability to report on past hacking incidents. Only one among the 16 manufacturers was able to detect a security breach in progress, according to the report, and only two were able to identify effective methods to respond to the attack. The report also cites security experts consulted by Markey's staff who say that the use of identification numbers and radio frequencies, which are the majority of protections automakers have in place to guard against attacks, are inadequate because they can be easily bypassed.
Just as unsettling is the finding that car makers collect personal vehicle data, such as the vehicle's location and driving history, without customers' informed consent. In some cases, customers are only informed that their data has been collected after the fact and they have no way of opting out of a data-harvesting program unless without disabling important wireless features, such as the vehicle's navigation systems.
Last year, the Alliance of Automobile Manufacturers and the Association of Global Automakers published a set of voluntary guidelines addressing car companies' data collection practices, allowing for the collection of customer information only for "legitimate business purposes."
But Markey's report notes that the phrase is too broad that auto manufacturers have ample room to collect private vehicle data for a variety of purposes. What Markey is proposing instead is for the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission to create clear and definite rules to provide security and privacy of car owners.
NHTSA spokesperson Gordon Trowbridge says auto safety regulators will consider Markey's recommendations as it is "engaged in an intensive effort to determine potential security vulnerabilities related to new technologies."
Wade Newton, spokesperson of the Alliance of Automobile Manufacturers, which represents General Motors, Ford, Fiat Chrysler, Toyota, and Volkswagen, among others, says he has not seen the report but emphasizes that automakers deem it important to maintain customer trust by investing in consumer privacy protections.
"The industry is in the early stages of establishing a voluntary automobile industry sector information sharing and analysis center... for collecting and sharing information about existing or potential cyber-related threats," Newton says.