Motorists in the United States are increasingly at risk of cyberattacks and violations of privacy, as more and more technology is added to their cars.
“New technologies in cars have enabled valuable features that have the potential to improve driver safety and vehicle performance,” said a report released on Sunday by the office of Sen. Ed Markey (D-Mass.).
However, the report went on to observe: “The proliferation of these technologies raises concerns about the ability of hackers to gain access and control to the essential functions and features of those cars and for others to utilize information on drivers’ habits for commercial purposes without the driver’s knowledge or consent.”
The report, based on responses from 16 auto makers to a letter sent to them by Markey’s office, made a number of key findings, including:
- Nearly 100 percent of cars on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.
- Most automobile manufacturers were unaware of or unable to report on past hacking incidents.
- Security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across all automobile manufacturers.
- A majority of automakers offer technologies that collect and wirelessly transmit driving history data to data centers, including third-party data centers, and most do not describe effective means to secure the data.
- Customers are often not explicitly made aware of data collection and, when they are, they often cannot opt out without disabling valuable features, such as navigation.
Hacker’s Code Mine
Risks of hacking into autos increases as more electronics are introduced to make vehicles more autonomous, noted Kristin Kolodge executive director of driver interaction (HMI) research at J.D. Power.
“These advanced safety systems and driver assistance systems that start to setup autonomous vehicles is where more and more vulnerabilities will be introduced,” she told TechNewsWorld.
Automobiles are becoming just another connected thing in a universe of connected things, noted Gary Davis, chief consumer security evangelist at Intel Security. As such, it’s just another attack surface of code harboring vulnerabilities.
He explained that the typical automobile today has about 100 million lines of code. By contrast, Windows Vista had 50 million lines of code; OS X Tiger, 80 million.
“There is a lot stuff being built into cars that is software-based,” he told TechNewsWorld. “It’s giving the hacker a lot of different attack surfaces to take advantage of.”
Security by Obscurity
When it comes to discovering vulnerabilities in a car’s software, many auto makers have adopted a “security by obscurity” approach to the problem, noted Sam Abuelsamid, a senior research analyst with Navigant Research.
“The idea is if they keep everything private, it will be harder for hackers to find vulnerabilities,” he told TechNewsWorld.
Abuelsamid was critical of that strategy. “Auto makers need to be more proactive,” he said.
Some auto makers have done just that. For example, Tesla, Mercedes and Audi all have hired teams of hackers to find vulnerabilities in their cars.
GM spokesperson Jennie Ecclestone explained that her company studies academic research showcasing controlled hacking situations to help it better understand how hackers may look at vehicles and how to improve hardware and software designs for current and future vehicles.
“We are taking a layered approach to in-vehicle cybersecurity and are designing many vehicle systems so that they can be updated with enhanced security measures as potential threats evolve,” she told TechNewsWorld.
While the Markey report praised some voluntary privacy principles adopted by two industry groups, it also raised some questions about them.
“While this is a good step forward, limiting themselves to collection ‘only as needed for legitimate business purposes’ still raises many questions about the extent to which companies will continue to collect sensitive information,” the report said.
“The principles also do not ensure that consumers will have rights to prevent data collection in the first place,” it added.
Much of the data collected by the auto makers is anonymous. That can be a deterrent to data thieves. “Anonomized data is going to be much less valuable to a hacker,” Intel’s Davis said.
However, it can be very valuable to drivers, added Dominique Bonte, a vice president and practice director for ABI research. Windshield wiper and ABS information, for instance, can be used for local hyper granular weather reports.
“There’s a huge potential to do something with this data,” he told TechNewsWorld, “and it would be a pity if privacy would hold them back.”
“The way this report talks about it it’s like all the data is up for grabs,” he added. “That’s a bit of an exaggeration.”