There is a whole generation of devices already in use that are vulnerable to hackers, to say nothing of all the data car companies are collecting on you – often through third party providers.
New standards are needed to close security gaps from hackers and privacy problems in vehicles, according to a report released today. The report, called Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk, comes from the responses of sixteen major automobile manufacturers from a government survey.
It is a given that the U.S. new vehicle fleet now has wireless technologies such as Bluetooth and even wireless Internet access, but automakers have not addressed the possibilities of hacker infiltration into vehicle systems. The report also details the widespread collection of driver and vehicle information, without privacy protections for how that information is shared and used.
Some studies show that hackers can get into the controls of some popular vehicles, causing them to suddenly accelerate, turn, kill the brakes, activate the horn, control the headlights, and modify the speedometer and gas gauge readings.
Other privacy problems come from the use of navigation and other features that record and send location or driving history information.
Many disturbing trends are noted:
- Nearly 100% of vehicles on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.
- Most automobile manufacturers were unaware of, unable, or unwilling to report on past hacking incidents.
- Security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across the different manufacturers.
- Only two automobile manufacturers were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real-time. Most said they rely on technologies that cannot be used for this purpose at all.
- Automobile manufacturers collect large amounts of data on driving history and vehicle performance.
- A majority of automakers offer technologies that collect and wirelessly transmit driving history information to data centers, including third-party data centers, and most did not describe effective means to secure the information.
- Manufacturers use personal vehicle data in various ways to “improve the customer experience” and usually involving third parties, and retention policies – how long they store information about drivers – vary considerably among manufacturers.
- Customers are often not explicitly made aware of data collection and, when they are, they often cannot opt out without disabling valuable features, such as navigation.
“Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected,” said Senator Markey, a member of the Commerce, Science and Transportation Committee.
In November 2014, the automobile manufacturers agreed to a voluntary set of privacy principles in an attempt to address some of these privacy concerns. In a statement, Senator Markey stated that the principles are an important first step, but they fall short in a number of key areas by not offering explicit assurances of choice and transparency.
The findings are based on responses from BMW, Chrysler, Ford, General Motors, Honda, Hyundai, Jaguar Land Rover, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Toyota, Volkswagen (with Audi), and Volvo. Letters were also sent to Aston Martin, Lamborghini, and Tesla – they did not respond.
