Earlier this month, Senator Edward Markey (D-MA) issued a report calling for greater automobile security and privacy for consumers. The "Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk" report included questions Senator Market posed to 16 automobile manufacturers during 2014. The questions focused upon how vehicles might be vulnerable to hackers, and how driver information is collected and protected.
Senator Markey sent letters to the following automobile manufacturers:
|Automobile Manufacturers Queried|
|1. Aston Martin The Americas
2. Audi of America**
3. BMW North America*
4. Chrysler Group LLC*
5. Ford Motor Company*
6. General Motors*
7. American Honda Motor Co. Inc.*
8. Hyundai Motors North America*
9. Jaguar Landrover LLC*
10. Automobili Lamborghini America
|11. Mazda North American Operations*
12. Mercedes-Benz USA*
13. Mitsubishi Motors North America*
14. Nissan North America*
15. Porsche Cars of North America*
16. Subaru Motors America*
18. Toyota North American Region*
19. Volkswagen Group of America*
20. Volvo North America
|*Provided responses to Senator Markey's inquiry letters.
** Audis response was included with Volkswagon's submission.
Some of the questions asked:
- How does the company assess whether there are vulnerabilities related to technologies it purchases from other manufacturers as well as wireless entry points of vehicles to ensure malicious code or other infiltrations cannot occur?
- Does the company utilize independent third parties to test for vulnerabilities to wireless entry points?
- Do any vehicles include technology that detects or monitors for anomalous activity or unauthorized intrusion through wireless entry points or wireless control units? And how are reports or unauthorized intrusion or remote attack responded to?
- Has the company been made aware of any intentional or inadvertent effort to infiltrate a wireless entry point, and what, if any, changes were made to protect vehicles from vulnerabilities in the future?
- What types of driving history information can be collected by navigation technology or other technologies, and is this information recorded, stored, or sold?
- Has the company received any request for data related to the driving history of drivers, and what were the reasons and final disposition of the requests?
- Which vehicles include technologies that can enable the remote shutdown of a vehicle, and are consumers made aware of this capability before purchase, lease ore rental of the vehicle?
Regarding automobile data security, the report found four trends:
- Almost all vehicles (nearly 100 percent) include wireless technologies that could pose vulnerabilities to hacking.
- Most manufacturers were unaware of or unable to report on past hacking incidents,
- Security measures to prevent unauthorized, remote access are inconsistent and haphazard across manufacturers.
- Only two manufacturers were able to describe any capabilities to identify, diagnose, and/or respond to unauthorized access or hacking in real-time. Most said they rely on technologies that cannot be used for this purpose at all.
Regarding privacy, the report found:
- Auto manufacturers collect large amounts of data about driving history and vehicle performance
- A majority of automakers offer technologies that collect and transmit wirelessly driving history information to data centers, including third-party data centers. Most did not describe effective means to secure the information collected.
- Manufacturers use the data collected in several ways with vague descriptions, such as to “improve the customer experience,” and involve third parties. How long the data collected is retained varies greatly across manufacturers
- Often, customers are not told about the data collection. When they are told, often they cannot decline or opt out of the data collection without disabling valuable features (e.g., navigation)
Download the "Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk" report (Adobe PDF). After reading it, I had several reactions. First, I would love to know why Aston Martin, Lamborghini, and Tesla failed to respond. Are data security and privacy not important to them? If they are important, then does their failure to respond indicate some internal disorganization?
Third, the lack of focus by auto manufacturers on data security and privacy is an alert to the hackers, identity thieves, and fraudsters worldwide that these autos are vulnerable. While writing this blog, I have learned that the bad guys are persistent, creative, and posses the same equipment, software, and technologies as the good guys. Autos contain computing technologies that are similar to other mobile devices (e.g., laptops, smart phones, tablets, fitness devices, and wearables). Autos should have the same data security protections: firewalls, anti-virus software and updates, and so forth. So, it makes sense to keep a strong focus on data security and privacy.
Fourth, the lack of focus by auto manufacturers on data security and privacy is an alert to governments and spy agencies worldwide. Why? They already perform surveillance using other mobile devices. Autos are just another mobile device they'll add to their lists.
The lack of focus represents a data security and privacy disaster of epic proportions in the making.
What do you think of the automobile security and privacy report?