From GPS navigation system to satellite radio to wireless locks, cars today are connected to more networks than ever. But all that connectivity has a downside: Cars are also more hackable than ever. That's according to a new report issued today (Feb. 9) by the office of Sen. Ed Markey, D-Massachusetts, entitled "Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk."
It's not news to security researchers that connected cars can be hacked. Anything that communicates with remote networks is potentially vulnerable, and weak or nonexistent data security only makes a network more promising to would-be attackers.
It's been known for years, for example, that malicious commands can be sent over cellular data networks, such as those used by carmaker remote-assistance services, to unlock car doors or seize control of certain cars' brakes or steering.
MORE: Best Antivirus 2015
A segment last night (Feb. 8) on CBS News' "60 Minutes" demonstrated some recent research. Kathleen Fischer of the Pentagon's Defense Advanced Research Projects Agency (DARPA) told correspondent Lesley Stahl that today's cars are essentially "computers on wheels." In the segment, Stahl drove a car (its make was obscured) as a DARPA researcher across the parking lot used a laptop to hack into the on-board assistance system and remotely turn on the windshield wipers, honk the horn, hit the brakes and disable the brakes entirely.
Unsafe at any speed?
Markey's report is based on information he received from BMW, Fiat Chrysler, Ford, General Motors, Honda, Hyundai, Jaguar Land Rover, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Toyota, Volkswagen and Volvo. Aston Martin, Lamborghini and Tesla did not respond to Markey's queries, which were sent out in December 2013.
The information the senator's office doesn't appear to have been very reassuring.
"Security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across all automobile manufacturers, and many manufacturers did not seem to understand the questions posed by Senator Markey," the report reads.
Cars are vulnerable to other kinds of attack that would give drivers no doubt they'd been hacked. Researchers Charlie Miller and Chris Valasek have shown that, in some cars, attackers could use the car's internal network to activate brakes or cut an engine's power immediately. Last year, the pair even issued a preliminary report detailing their findings about which cars could be most easily hacked.
Miller and Valasek's tests have been largely in controlled environments. There's no evidence that criminals are targeting cars to steal data or to harm the driver or passengers. Real car hackers are mainly interested in stealing the cars themselves, as was recently shown in a wave of BMW thefts in Europe.
But most cars don't even have the means to detect network intrusions.
"Only two automobile manufacturers," Sen. Markey's report said, "were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real-time."
Valasek told Tom's Guide that network-intrusion detection is the next step in improving automotive data security.
"Charlie and I are both hoping to see mechanisms in the vehicle that can, in real time, detect and prevent attacks," Valasek said. "You should not only secure your system, you should at least know if something malicious has been tried."
We love the way you drive
Another basic issue, according to the Markey report, regards driver privacy.
Car manufacturers gather reams of information about customers via the cars' onboard connected systems. The information can be personal habits gleaned from the onboard entertainment systems, which now offer smartphone-like music and news apps, or from the onboard diagnostic systems, which monitor and record driving habits and vehicle performance. Both systems might tap into the GPS to keep track of where the car is at all times.
Advertisers might be interested in the app usage and where and when the driver is when apps are used; insurance companies might want to know how often an individual driver hits the brakes or goes over the speed limit.
Often, car owners aren't properly notified of the scale or nature of this collection, and can rarely opt out of it. This data collection is also poorly secured, which means drivers' personal information could be exposed and stolen without people ever knowing there was a problem.
During the course of Markey's investigation, auto-industry trade groups Alliance of Automobile Manufacturers and the Association of Global Automakers developed a set of guidelines saying that customers' personal information should be collected "only as needed for legitimate business purposes."
Though they may be a first step toward increased privacy and security, the guidelines are still optional for car companies, and even the stipulation about "legitimate business purposes" is highly open to interpretation.
Ask your car dealer tough questions
Perhaps most frustrating for drivers is that like any other data breach, there's little that car owners can do to protect their privacy and security. Almost all the cars currently on the market have potentially vulnerable wireless networks, the Markey report has found, and consumers usually can't opt out of the data collection without forfeiting important features such as onboard navigation, as provided by GM's OnStar and similar services.
"When you're going to buy cars, ask about [security]," Valasek advised. "I think a lot of consumer awareness will result in people who sell cars asking the people they buy them from these questions, and, hopefully, they'll get a good dialogue going."
- 12 More Things You Didn't Know Could Be Hacked
- Tech Features Nobody Wanted
- 13 Security and Privacy Tips for the Truly Paranoid
Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.