Although almost all new cars include wireless technologies that provide hackers with entry points into vehicles, car companies lack fundamental understanding of how these systems work and have little clue how to defend them, according to the report, which was released Monday by U.S. Senator Ed Markey (D-Mass).
Only two automobile manufacturers of the 16 surveyed could describe how they would respond to a real-time infiltration of a vehicle, the report said. Six manufacturers avoided answering the question on their response time entirely, and six more answered with "vague mentions" of "appropriate actions."
"Drivers have come to rely on these new technologies, but unfortunately the automakers haven't done their part to protect us from cyber-attacks or privacy invasions," Markey said in a written statement.
It's no secret that infotainment features like smartphone integration, turn-by-turn navigation and vehicle performance monitors have rendered cars vulnerable to hackers. A growing number of researchers have exploited cyber weaknesses and demonstrated the ability to control a car's critical functions. Just last week, German researchers announced they hacked BMW's Connected Drive system and remotely locked and unlocked car doors.
Cyber-security experts have been warning automakers their efforts to thwart hackers have been insufficient, but Markey's harsh report marks the first time that criticism has come from an elected official. Among his findings:
- Nearly 100 percent of new cars sold in the U.S. contain technologies that expose them to hacking or privacy intrusions.
- Only two manufacturers could describe their capability to diagnose or meaningfully respond to a real-time infiltration, and "most say they rely on technologies that cannot be used for this purpose at all."
- Measures to prevent hacks are "inconsistent and haphazard" across the industry, and many manufacturers didn't seem to even understand the questions posed by Markey and his staff.
- Of the 12 companies that responded to a question on how they secured new software deliveries, all began with a presumption that a hacker couldn't access the same technologies that ordinary mechanics possess.
Cyber-security experts have warned that automakers' efforts at thwarting hacks have been insufficient in recent years, but car companies have countered by assuring motorists that appropriate security was in place, even if they divulged scant details. But that response has crumbled in the face of almost-weekly reports of researchers finding new ways to breach the security in vehicles. Last week, it was BMW. This week, there's an upcoming 60 Minutes report of white-hat researchers remotely controlling a Chevy Impala via an infiltration of its OnStar telematics unit.
From automakers, "there's some pushback on 'why create technology for a threat that's not imminent,'" said Chris Valasek, director of vehicle security research at IOActive. "It is costly, but at the same time, no one wants to be the first one hit by this kind of attack. I'd rather work on it now, rather than panic when it happens ... it's up to everyone involved in the landscape to be vigilant on their security."
Privacy Breaches Are Of Equal Concern
The same technologies that leave cars ripe for hacking are also exposing motorists to overruns of their privacy. Markey's report found automobile manufacturers are collecting large amounts of data on driving history and vehicle performance from unsuspecting motorists.
That data is often wirelessly transmitted to data centers run by both car companies and third-party vendors. Manufacturers use this data, "often vaguely, to 'improve the customer driving experience,'" the report noted.
Last month at CES, one automaker touted its ability to gather such specific data that it can analyze what radio stations drivers are listening to at given speeds. "OEM's are doing crazy, crazy analytics," Kelley Blue Book analyst Akshay Anand previously told Autoblog. "They will start to use that in a much smarter way. ... Most of it will be internal."
The Government Accountability Office issued a report last year that called on automakers to be more transparent in how they handle that customer data, and manufacturers agreed to a set of principles that strengthened those protections. But Markey's report said those principles don't go far enough in safeguarding motorists.
Senator Wants Strengthened Rules
"We have not fully reviewed this report, however automakers believe that strong consumer data privacy protections and strong vehicle security are essential to maintaining the continued trust of our customers," said a spokesperson for the Auto Alliance, an industry trade group that advocates on behalf of manufacturers in Washington D.C.
Markey called on the National Highway Traffic Safety Administration and Federal Trade Commission to develop new standards that ensure drivers are given the choice to opt out of such data collection.
"Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected," he said. "We need to work with the industry and cyber-security experts to establish clear rules of the road to ensure the safety and privacy of 21st-century American drivers."