Connected car cyber security gets bad report card from Senator, spooky 60 minutes

hackingopeningpageA report written by the staff of Senator Edward J. Markey notes that new connected car technologies with wireless access could be open to hacking or unauthorized use of data for commercial purposes. Because cars are open for attack, the senator proposes a rating system that rates the security of cars.  Meanwhile DARPA took Leslie Stahl in self-driving car, that drove itself without Stahl’s permission.

Last fall, Alliance of Automobile Manufacturers and agreed to privacy guidelines. The alliance issued a statement:

“The industry is in the early stages of establishing a voluntary automobile industry sector information sharing and analysis center – or other comparable program – for collecting and sharing information about existing or potential cyber-related threats. But even as we explore ways to advance this type of industrywide effort, our members already are each taking on their own aggressive efforts to ensure that we are advancing safety.”

Senator Edward J. Markey (D-Mass.) sent letters to the major automobile manufacturers to learn how what is being done to secure connected cars against hacking attacks, and how personal driving information is managed.

The report shows the responses from 16 major automakers; BMW, Chrysler, Ford, General Motors, Honda, Hyundai, Jaguar Land Rover, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Toyota, Volkswagen (with Audi), and Volvo.
Aston Martin, Lamborghini, and Tesla, manufacturers did not respond.
The data from these responses showed

  • Nearly 100% of cars on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.
  • Most automobile manufacturers were unaware of or unable to report on past hacking incidents.
  • Security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across all automobile manufacturers,
  • Only two automobile manufacturers were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real-time, and most say they rely on technologies that cannot be used for this purpose at all.
  • Automakers collect large amounts of data on driving history and vehicle performance.
  • A majority of automakers offer technologies that collect and wirelessly transmit driving history data to data centers, including third-party data centers, and most do not describe effective means to secure the data.
  • Manufacturers use personal vehicle data in various ways, often vaguely to “improve the customer experience” and usually involving third parties, and retention policies – how long they store information about drivers – vary considerably among manufacturers.
  • Customers are often not explicitly made aware of data collection and, when they are, they often cannot opt out without disabling valuable features, such as navigation.

Senator Markey reported that the findings reveal that there is a clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle or against those who may wish to collect and use personal driver information.

The FTC recently offered guidelines for Internet connections in cars.

According to various industry sources there are no known instances automotive cyber attacks in the public. Most hacks require a physical connection to the vehicle and do things like remove the dashboard.  Hacker and consultant Christopher Valesek said at the Connected Car Expo, “the threat currently is low because the cost to hack a car’s computer system is prohibitively high”. The auto industry claims it takes measures for data security and to stop hackers. Battelle is working on working devices NEM to prevent attacks.

General Motors has a Cyber Security Chief,  Jeff Massimilla.

Meanwhile, DARPA found a way to hack into a car shown on sixty minutes, which looks like an older model Chevy Impala using OnStar which offers the great OnStar RemoteLink app.

DARPA engineers dialed into the cars emergency communication system, transmitted a data packets that confused the internal computers, and then planted a malicious code that allowed it to have total remote control. DARPA has been working on the project for five years.

U.S. military’s Defense Advanced Research Projects Agency (DARPA) DARPA is working to invent “unhackable software” for small devices, which could solve security problems for many Internet of Things devices. In a way it’s good news to have the good guys know how to hack the car, better than the criminals having the knowledge.

We also find it amusing that DARPA thought that by putting a black mask on the front of the car, it could not be identified as a Chevy Impala, when all car bodies are unique and identifiable. Maybe they should have put a paper bag over the hood or a spare tire in the back?

Most normal people don’t have the capabilities to hack a vehicle.

In general, you need not worry if your GM car or truck is going to be hacked, today.