Connected car security ripped apart by US senator
United States Senator for Massachusetts, Ed Markey, has released a new report criticising the current connected car security measures that many top manufacturers currently employ.
Almost all modern vehicles have a wireless entry point, while some even have multiple WEPs, including Bluetooth, keyless entry, remote start, wi-fi and telematics. All of these are susceptible to vulnerabilities or hacking, according to Markey.
“Drivers have come to rely on these new technologies, but unfortunately the automakers haven’t done their part to protect us from cyber-attacks or privacy invasions,” he said.
“Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected.”
Of particular concern will be the fact that the Tracking & Hacking:Security & Privacy Gaps Put American Drivers at Risk report discovered how most manufacturers were unable to report, or simply unaware of, past hacking incidents.
Markey asked manufacturers to share information on any hacks that had occurred recently and 16 manufacturers responded to the letter, but Jaguar Land Rover, Porsche, and Volkswagen failed to fashion any reply.
The lack of connected car security standards were further exposed when half of manufacturers claimed that WEPs were working as intended, but they were unable to ensure that a security breach could not occur.
Security experts were consulted by Markey’s staff who found flaws in many of the manufacturers’ security measures. For example, unique identification numbers and radio frequencies could be identified by hackers and closed system codes can be rewritten.
Real-time response lacking
Worryingly, only two manufacturers could detail functionality that allowed them to diagnose or respond to a hacked system in real time and most admitted their technologies were unable to do this at all.
Real-time security response was lacking too, with half of all manufacturers revealing that they collect and wirelessly transmit driving history data to data centres, including third-party data centres. Most could not provide information on how secure this data was.
Examples of the type of driving history and vehicle performance data collected by manufacturers ranged from physical location at regular intervals to last location parked and from potential crash events to previous navigation destinations.
Although a voluntary set of privacy principles were agreed on last year by automobile manufacturers, Markey is pushing for more collaboration between the industry and cyber-security experts to ensure there are clear rules on safety and privacy.