Smartcars Pose Cyber Risk to Drivers, Senator Warns
Automakers are adding wireless technologies into vehicles without enough protection to keep hackers from interfering the operation of a car or stealing personal information, according to a report by U.S. Senator Edward Markey.
Cars are now being built with Bluetooth, Wi-Fi, navigation systems and keyless entry systems that collect information about drivers — such as where they travel and park — and the data is being kept by car companies without any privacy standards, said Markey, a Massachusetts Democrat.
“We need rules of the road that are clear that protect drivers from hackers from and data trackers,” Markey said in an interview today. “Automakers don’t have safety or privacy protections that are built in.”
His report, made public Monday, cited information sought from 16 companies about their in-car technologies and whether they deploy any safeguards.
Besides the danger of information theft, the increasing computerization of cars and trucks makes them vulnerable to hackers who could potentially control critical functions like braking, steering and acceleration, the report said. A 2013 project funded by the Defense Advanced Research Projects Agency showed how someone with a laptop could control a nearby vehicle
Automakers themselves acknowledge the need for protections. Their two biggest U.S. trade groups — the Alliance of Automobile Manufacturers and the Association of Global Automakers — announced a plan in November for heightened security on information such as driver location and behavior.
“Strong consumer data privacy protections and strong vehicle security are essential to maintaining the continued trust of our customers,” Wade Newton, a spokesman for the Alliance of Automobile Manufacturers. “Auto engineers incorporate security solutions into vehicles from the very first stages of design and production –- and security testing never stops.”
The National Highway Traffic Safety Administration established an office to work on vehicle cybersecurity in 2013.
NHTSA is finishing a report to Congress on automotive cybersecurity policy options, agency spokesman Gordon Trowbridge said in an e-mailed statement.
“NHTSA is engaged in an intensive effort to determine potential security vulnerabilities related to new technologies and will work to ensure that manufacturers cooperate and address issues in order to keep motorists safe,” Trowbridge said.
Markey wants to go further. In the same way information is available to prospective car buyers about the number of airbags in a car or how it performed in a crash test, Markey is pushing federal agencies to require a rating system for what type of security a vehicle has to protect against hackers to the electronics system.
Markey’s report calls for manufacturers to protect vehicles against cyber-attacks and to assess how they can respond to real-time hacking. Markey also wants drivers to be made aware of data collection and to let them opt-out and remove personally identifying information.
“There aren’t any real clear guidelines on the books,” Markey said. Automakers “haven’t spent the money yet to build in the protective technology to ensure that security and safety is in fact enhanced.”
About 2.2 million Bayerische Motoren Werke AG, Mini and Rolls-Royce vehicles were recently shown to have a security flaw that leaves them vulnerable to hackers, the German auto club ADAC said in a report Jan. 30. The vehicles share BMW’s ConnectedDrive service, ADAC said.
The Munich-based carmaker said it upgraded the system to close the security gap and that the software update will take place automatically when a vehicle connects to BMW’s server.
“The BMW group has responded promptly and increased the security,” the company said in a statement when the ADAC report was released.
General Motors Co. is using its “full technical capability” to keep its vehicles safe, said Renee Rashid-Merem, the Detroit-based company’s director of global product development. GM is devoting resources to manage the issue internally as well as with others in the auto industry, Rashid- Merem said.
“Cybersecurity is increasingly becoming a societal issue,” Rashid-Merem said Monday. “At GM, we take customer safety and security extremely seriously, and we are taking a multifaceted approach for in-vehicle cybersecurity so we can update security as threats evolve.”
Ford Motor Co. spokesman Alan Hall referred questions to the Alliance of Automobile Manufacturers.
–With assistance from Elizabeth Wasserman in Washington