Will Car Companies Protect Their Customers Against Hacking?
It seems a week doesn’t go by these days without a report of a major hack, whether it’s a giant retailer like Target losing credit card information for 40 million customers, or the recent hack of Anthem insurance that exposed the health data of 80 million customers. As major companies rush out to buy cyberattack liability insurance, car companies are piling on electronic features such as hands-free navigation and onboard wireless. Senator Ed Markey (D-Massachusetts) is suggesting that maybe we’re crazy for pushing so much extraneous technology so quickly in our personal passenger vehicles.
A February 2015 report, “Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk,” states, “New technologies in cars have enabled valuable features that have the potential to improve driver safety and vehicle performance. Along with these benefits, vehicles are becoming more connected through electronic systems like navigation, infotainment, and safety monitoring tools.” This sounds great, but unfortunately, the report goes on for more than one paragraph. It continues, “The proliferation of these technologies raises concerns about the ability of hackers to gain access and control to the essential functions and features of those cars and for others to utilize information on drivers’ habits for commercial purposes without the drivers’ knowledge or consent.” Just how vulnerable are carmakers leaving their customers to hackers?
Markey’s office sent requests to 20 automakers: Aston Martin, BMW, Chrysler, Ford, General Motors, Honda, Hyundai, Jaguar Land Rover, Lamborghini, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Tesla, Toyota, Volkswagen/Audi, and Volvo, asking them how prevalent these technologies are, what is being done to secure them against hacking attacks, and how personal driving information is managed. His office received responses from everyone except Aston Martin, Lamborghini, and Tesla. I’ve quoted the key takeaways from the report in full:
-
Nearly 100% of cars on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.
-
Most automobile manufacturers were unaware of or unable to report on past hacking incidents.
-
Security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across all automobile manufacturers, and many manufacturers did not seem to understand the questions posed by Senator Markey.
-
Only two automobile manufacturers were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real-time, and most say they rely on technologies that cannot be used for this purpose at all.
-
Automobile manufacturers collect large amounts of data on driving history and vehicle performance.
-
A majority of automakers offer technologies that collect and wirelessly transmit driving history data to data centers, including third-party data centers, and most do not describe effective means to secure the data.
-
Manufacturers use personal vehicle data in various ways, often vaguely to “improve the customer experience” and usually involving third parties, and retention policies – how long they store information about drivers – vary considerably among manufacturers.
-
Customers are often not explicitly made aware of data collection and, when they are, they often cannot opt out without disabling valuable features, such as navigation.
Based on the above findings, carmakers are clearly investing far too heavily into technological bells and whistles without any accompanying concern for how to protect their customers from the dangers that go hand-in-hand with these advancements. The vulnerabilities uncovered in the report aren’t happening in the real world yet, but they could. The fact that car companies appear not to have a plan for how to prevent or deal with them is concerning, especially considering how scary some of the implications of the report are.
Prior to the release of the report, 60 Minutes did a story on hacking cars. In it, reporter Lesley Stahl was helpless against infiltrators who successfully deactivated the car’s brakes, blew the horn, and turned on the windshield wipers from a remote location. Lesley’s lighthearted-Poltergeist experience is alarming, and the fear-based tone is echoed by other media outlets. An understated piece by CNN—known paragon of journalistic restraint—begins, “Imagine driving down the highway at 70 miles per hour, when suddenly the wheel turns hard right. You crash. And it was because someone hacked your car.” I like to imagine this read in the voice of the guy who used to start movie trailers with “In a world…”
It’s easy to dismiss these sensational outcries, and Forbes dismissed Markey’s report itself as being overblown. But as Car and Driver straightforwardly puts it, “Currently, there’s nothing to stop anyone with malicious intent and some computer-programming skills from taking command of your vehicle. After gaining access, a hacker could control everything from which song plays on the radio to whether the brakes work.” While a middle ground could be that perhaps it’s too soon to panic, it certainly seems reasonable that we can expect carmakers to ensure the safety of their product. I don’t think anyone is suggesting that the Takada Corp. airbag scandal is overblown, seeing as everyone agrees that it’s reasonable for and airbag manufacturer to ensure that the the airbags they make do not explode and kill people with shrapnel.
While having your car’s brakes go out is obviously very scary, the less-dramatic possibilities presented by Markey’s report that are also troubling. Tech Times details how car makers collect personal vehicle data, such as the vehicle's location and driving history, without customers' informed consent. Per Markey’s report, ‘manufacturers use personal vehicle data in various ways, often vaguely to “improve the customer experience” and usually involving third parties, and retention policies – how long they store information about drivers – vary considerably among manufacturers.’ The report explains that some customers only find out about the data collection after it’s already happened, and they have no way of opting out of a data-harvesting program without disabling important wireless features. I’m assuming that the cost of the technological improvements is factored into the final price of the vehicle, so it’s unfair that the buyer of a brand-new car has to choose between using the features he or she paid for or maintaining privacy. A brand new car in the United States is expensive, so if you’re springing for one, you’re probably doing it because you like having a car with a bumper camera or one that can parallel park for you, not because you want to do some amateur wire-cutting. In answer to a question posed by NPR on whether people just give up the OnStar system they’ve become accustomed to, Ed Markey said,
It's the same choice that automotive manufacturers were trying to give to drivers back in the 1960s and 70s about airbags and seat belts. They were saying it was going to add dramatically to the cost of the vehicle and consumers would not want that. When in truth once they were given that additional protection people now automatically use those safety devices. Well we need the same kinds of safety devices for the information.
Markey’s tone suggests that he’s expecting an uphill battle when it comes to legislating the problem. He and Senator Richard Blumenthal (D-Connecticut) proposed legislation that would direct the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish federal standards to secure cars and protect drivers’ privacy. The basic proposed standards tackle security and privacy:
Security
· Requirement that all wireless access points in the car are protected against hacking attacks, evaluated using penetration testing;
· Requirement that all collected information is appropriately secured and encrypted to prevent unwanted access; and;
· Requirement that the manufacturer or third-party feature provider be able to detect, report and respond to real-time hacking events.
Privacy
· Transparency requirement that drivers are made explicitly aware of data collection, transmission, and use of driving information;
· Consumers can choose whether data is collected without having to disable navigation; and
· Prohibition on the use of personal driving information for advertising or marketing purposes.
In addition, the legislation calls for the creation of a new rating system called the “cyber dashboard,” which would indication to consumers how well a vehicle protects drivers beyond those minimum standards. This information would be on the label of all new vehicles, just like fuel economy is now.
How easy it is to pass the legislation remains to be seen. Resistance to regulations from car companies and their lobbyists is all but certain, and we’ve already seen the “overblown” accusation. Further, some reporters have pointed out that not all instances of data mining by carmakers is necessarily a bad thing. In an article in Forbes, “Three Ways Big Data Is Helping To Build Better Cars,” Dirk Wollschläger of IBM writes, “On average, automakers are discovering faults faster than they did in the past, helping them to issue recalls sooner, and limiting the pool of affected customers.” We’re accustomed to associating anything having to do with data collecting as a sinister Big Brother plot, or at the very least a slightly-less-sinister money-making plot, but sometimes technology is used for good! Of course, Wollschläger also admits that “most of this data is currently not used to its full potential and is mostly stored as useless heaps of information.” This is not something that inspires me to believe that carmakers are capable of self-regulation, and it will be interesting to see how the Markey–Blumenthal legislation fares. It likely depends on whether consumers are paying enough attention to the issue to support legislating the problem, or if they believe that car companies are up to the task without help from the government.
Add new comment