Markey Report Reveals Automobile Security and Privacy Vulnerabilities

Wireless technologies leave vehicles exposed to hackers; Information collected on driver locations, habits

 

WASHINGTON (February 9, 2014) – New standards are needed to plug security and privacy gaps in our cars and trucks, according to a report released today by Senator Edward J. Markey (D-Mass.). The report, called Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk and first reported on by CBS News’ 60 Minutes, reveals how sixteen major automobile manufacturers responded to questions from Senator Markey in 2014 about how vehicles may be vulnerable to hackers, and how driver information is collected and protected.

 

The responses from the automobile manufacturers show a vehicle fleet that has fully adopted wireless technologies like Bluetooth and even wireless Internet access, but has not addressed the real possibilities of hacker infiltration into vehicle systems. The report also details the widespread collection of driver and vehicle information, without privacy protections for how that information is shared and used.

 

“Drivers have come to rely on these new technologies, but unfortunately the automakers haven’t done their part to protect us from cyber-attacks or privacy invasions. Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected,” said Senator Markey, a member of the Commerce, Science and Transportation Committee. “We need to work with the industry and cyber-security experts to establish clear rules of the road to ensure the safety and privacy of 21st-century American drivers.”

 

Senator Markey posed his questions after studies showed how hackers can get into the controls of some popular vehicles, causing them to suddenly accelerate, turn, kill the brakes, activate the horn, control the headlights, and modify the speedometer and gas gauge readings. Additional concerns came from the rise of navigation and other features that record and send location or driving history information. Senator Markey wanted to know what automobile manufacturers are doing to address these issues and protect drivers.

 

The full report is available HERE.

 

The first part of the report addresses security, or how modern technologies open doors to hackers.

 

When Senator Markey asked the automakers about the different technologies and the ways they safeguard the technologies from infiltration, he found four trends:

--Nearly 100 percent of vehicles on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.

--Most automobile manufacturers were unaware of or unable to report on past hacking incidents.

--Security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across the different manufacturers.

--Only two automobile manufacturers were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real-time, and most said they rely on technologies that cannot be used for this purpose at all.

 

The second part of the report deals with privacy. Features like navigation are quietly recording and sending out our personal and driving history. The Markey report reveals four key findings on privacy:

--Automobile manufacturers collect large amounts of data on driving history and vehicle performance.

--A majority of automakers offer technologies that collect and wirelessly transmit driving history information to data centers, including third-party data centers, and most did not describe effective means to secure the information.

--Manufacturers use personal vehicle data in various ways, often vaguely to “improve the customer experience” and usually involving third parties, and retention policies – how long they store information about drivers – vary considerably among manufacturers.

--Customers are often not explicitly made aware of data collection and, when they are, they often cannot opt out without disabling valuable features, such as navigation.

 

In November 2014, the automobile manufacturers agreed to a voluntary set of privacy principles in an attempt to address some of these privacy concerns. In a statement, Senator Markey stated that the principles are an important first step, but they fall short in a number of key areas by not offering explicit assurances of choice and transparency.

 

The findings are based on responses from BMW, Chrysler, Ford, General Motors, Honda, Hyundai, Jaguar Land Rover, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Toyota, Volkswagen (with Audi), and Volvo. Letters were also sent to Aston Martin, Lamborghini, and Tesla, which did not respond.

 

# # #