4/14/2015

Our cars are more hackable than we thought, Senate report finds

With smarter cars comes improved safety, better performance and all the benefits of a smartphone baked into your dashboard. Yet automakers have been slow to recognize how hackers can take advantage of on-the-road computers or how best to protect our privacy, according to a new report.
The report, released Monday by Sen. Edward Markey (D-Mass.), detailed lax cybersecurity that opens vehicles to potential hacking and drivers to privacy breaches as automakers collect more data on our driving habits.

Markey's office sent a lengthy questionnaire to 20 automakers more than a year ago to compile the report, and 16 responded. The survey found that a majority of automakers questioned were unaware of or failed to report past hacking incidents. Only two of the companies said they had systems in place to fend off hacking attacks in real-time and only two confirmed they could remotely slow down or stop a vehicle under the control of a hacker.
The findings were released following a "60 Minutes" segment on Sunday detailing how the US government's Defense Advanced Research Projects Agency, or DARPA, was able to hack General Motors' OnStar system to remote control a Chevrolet Impala, including its brake and acceleration systems.
Almost every new car on the market today has some type of network capacity such as Wi-Fi, Bluetooth or cellular connectivity that could "pose vulnerabilities to hacking or privacy intrusions," the report warned.
Although nearly every automaker is adding sophisticated technology, there are no standards governing how automakers secure vehicles' wireless networks, respond to threats or handle confidential driver data. While security experts have long recognized the vulnerability of these systems, it's now starting to get legislative attention.
"These findings reveal that there is a clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle or against those who may wish to collect and use personal driver information," the report reads.
Markey's report detailed how, as opposed to past hacking demonstrations, hackers no longer need a direct connection to the vehicle to take over its systems. DARPA demonstrated how malware from Bluetooth-connected smartphones and security holes in onboard software, like OnStar, provide numerous avenues to take control remotely. Because examples of hacks happening to everyday drivers remain largely undocumented, the report added, automakers are not taking them seriously.
"That stuff is very straightforward to protect against, but until you get hacked, you don't do anything about it," said Scott McGregor, the CEO of chipmaker Broadcom, which is partnered with automakers like Hyundai and BMW to wire their cars with Internet connectivity.
Beyond the more malicious threat of a hacker gaining control of your steering wheel or gas pedal, automakers are constantly gathering information about drivers, including locations traveled to and how long the car remains parked. Companies then store that data with little protection, sometimes even in third-party data centers whose own security may not have proper safeguards. The report said automakers rarely inform consumers about the information they've collected.
The report also found that automakers collectively have no consistent policy on how long to store data and what exactly it can be used it for. Few companies inform drivers of this data collection or have effective opt-out policies that do not disable key features like navigation.
The report concluded: "The alarmingly inconsistent and incomplete state of industry security and privacy practices ... raises a need for the National Highway Traffic Safety Administration, in consultation with the Federal Trade Commission on privacy issues, to promulgate new standards that will protect the data, security and privacy of drivers in the modern age of increasingly connected vehicles."