Cars these days have more in common with smart phones than the Model-T. But a new report from Sen. Ed Markey (D-Mass.) warns that the increasing technical complexity of vehicles is leaving drivers' security and privacy at risk.
“Drivers have come to rely on these new technologies, but unfortunately the automakers haven’t done their part to protect us from cyber-attacks or privacy invasions," Markey in a statement. "Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected."
Markey sent inquiries to 20 automakers, including Ford, Toyota and General Motors, last year, asking what the companies were doing to secure the technology in their vehicles against hackers and how personal data gathered through the technology is managed.
Cybersecurity experts have long warned that cars' electronic systems might be vulnerable to hackers, especially as auto-makers started building wireless connections to the outside world into vehicles. Researchers Charlie Miller and Chris Valasek demonstrated how to take over the steering and brakes of a Ford Escape and a Toyota Prius using a laptop connected to the vehicles with a cable in 2013. Last year, the pair released a report detailing the wireless "attack surfaces" of a wide variety of vehicles on the market -- things like, Wi-Fi, keyless entry systems, and Bluetooth that might be targeted by a malicious hacker.
Nearly all cars on the market "include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions," according to Markey's report, which was released Monday. Security measures to prevent remote access to a car's electronic systems are "inconsistent and haphazard across all automobile" and many manufacturers "did not seem to understand" the questions the legislator was asking. However, most manufacturers were either unaware or unable to report on previous hacking incidents.
Other groups have raised concerns about the security practices of auto-makers. I am the Cavalry, a group focused on where computer security intersects with physical safety, has urged vehicle manufacturers to adopt a five-star-style rating system for security best practices, akin to the ratings for traditional vehicle safety.
The report also found that modern cars collect a significant amount of information on driving history and that drivers often cannot opt out of data collection without disabling features such as navigation. "A majority of automakers offer technologies that collect and wirelessly transmit driving history data to data centers, including third-party data centers, and most do not describe effective means to secure the data," it said.
In November, two auto coalitions announced a set of voluntary privacy principles. But Markey wants to go further. His report calls for the National Highway Traffic Safety Administration to set new regulatory standards with input from the Federal Trade Commission. The standards should ensure that car's wireless and data-collection features protect against hacking and security breaches, require that carmakers test their systems with penetration testing, require drivers be explicitly told about how data is collected and used, and give drivers a way to opt out of such features, the report argues.
"We need to work with the industry and cyber-security experts to establish clear rules of the road – not voluntary agreements – to ensure the safety and privacy of 21st-century American drivers," Markey said.