Car makers take "haphazard" approach to hacker threats

Major car manufactures are coming up short on security despite racing ahead with new smarts in cars that leave them exposed to remote hacking and privacy threats, according to a new report.

The claim is made in a report released by US Democrat Senator Edward J. Markey, who asked 16 major car manufacturers how they protected networked vehicles from hackers.

The report’s findings aren’t reassuring for buyers: it concludes that manufacturers have a “clear lack of appropriate security measures to protect drivers against hackers” who could either take control of vehicle or steal driver’s personal information.

The nightmare situation for drivers is if a hacker could commandeer a vehicle’s computerised control network and caused it accelerate, brake or tamper with the headlights.

The report is based on voluntary responses from BMW, Chrysler, Ford, General Motors, Honda, Hyundai, Jaguar Land Rover, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Toyota, Volkswagen (with Audi), and Volvo.

Questions ranged from how software updates are delivered to intrusion detection capabilities, however in many cases manufacturers didn’t respond to them, leaving an incomplete picture of the actual state of vehicle security. Aston Martin, Lamborghini and Tesla didn’t respond to the senator’s letter at all.

While all new cars on the market include “wireless entry points” in some form — whether they’re Bluetooth, wifi, keyless entry, or mobile network connectivity and telematics systems — the report found that “security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across all automobile manufacturers”.

Just five manufacturers confirmed they’d hired a penetration testing firm when asked whether they’re sought outside help to assess the security measures of their vehicles. Most either declined to answer the question or appeared to misunderstand it.

Only two manufacturers could explain that they had some way to detect and respond to an attack in real-time, while most pointed to technology deemed by experts to be ineffective for this purpose.

Read more: Car dealership beats security password sprawl with Centrify

When asked what action in real-time they could block an attack, six manufacturers pointed to “appropriate actions” but cited a product recall, which wouldn't qualify as a real-time response. The only action that could work is a fail-safe mode and remote slow-down and immobilisation — however only manufacturer indicated this capability.

The report comes just a week after it emerged that BMW had recently patched a flaw in its Connected Drive system that researchers could exploit to remotely unlock the doors of its vehicles.

The other concern for drivers is how much data that vehicles are collecting and who manufacturers are sharing this data with.

The report found that on average 35 percent of vehicles can collect driver history information. Around half of these transit data wirelessly to a data centre, which in the majority of cases to a third-party provider. A total of 12 manufacturers said they collected and stored driving history data, of which eight sent to off-board, however no manufacturer sufficiently outlined how they protected that data either at rest or in transit.    
 
There was also no consistent data retention policy across the industry, with periods ranging from one to 10 years for five manufacturers, three that had no clear date for deletion, while for others it was indefinite.  

Finally, customers aren’t told up front that manufacturers are collecting data, say for geolocation-based marketing. And if they are told, it often comes at the cost of a valuable driving feature, such as GPS. To top it off, the car making industry seems to be adopting the same terms and conditions documents that buyers of consumer technology rarely, if ever, read.

“Drivers have come to rely on these new technologies, but unfortunately the automakers haven’t done their part to protect us from cyber-attacks or privacy invasions. Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected,” said Senator Markey, a member of the Commerce, Science and Transportation Committee in a statement.

“We need to work with the industry and cyber-security experts to establish clear rules of the road to ensure the safety and privacy of 21st-century American drivers.” 

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Read more: How SSL encryption gives a false sense of security


Upcoming IT Security Events

March 3rd, March 5th, March 9th 2015

Read more: Apple adds two-step verification to iMessage and FaceTime

Join CSO for the day@#csoperspectives and hear from @kimzetter @LeviathanSec

3 International Keynote speakers, 36 Key IT Security Industry Speaker, 21 Exhibitors, Security Analysts and many more.. Register today

Dont miss one of the biggest IT Security events in ANZ (registration is free, but seats are limited)

Tags hackingPenetration testingintrusion detectionUS Democrat Senator Edward J. Markeyprivacy threatsnetworked vehichleswireless entry points

Show Comments