Yesterday, the New York Times reported on flaws in the security and privacy of cars with wireless systems. The article was based on a report released today by the office of Ed Markey, a United States Senator for Massachusetts. The report is titled “Tracking & Hacking: Security & Privacy Gaps Put American Drivers At Risk” and, as the title implies, focuses on the following two problems:
1. Wireless technologies allow hackers to “gain access and control to the essential functions and features of those cars.”
2. Other parties can “utilize information on drivers’ habits for commercial purposes without the drivers’ knowledge or consent.”
The report is based on the responses of 16 major car manufacturers to a letter that Markey sent to 20 companies; 4 of them didn’t respond.
Regarding problem #1, the report found that manufacturers were unaware of or unable to report on hacking incidents, security measures on vehicles were inconsistent across manufacturers, and few manufacturers could diagnose or meaningfully respond to hacking.
Regarding problem #2, the report found that car manufacturers not only collect large amounts of data on driving history and vehicle performance, but did not describe effective means of securing the data. Furthermore, customers are not explicitly notified about such data collection and cannot easily opt out.
According to the Markey report, the auto industry issued its own set of “voluntary privacy principles” through the Alliance of Automobile Manufacturers and the Association of Global Automakers last year. The report is careful not to deride these principles, even though they were self-imposed and done so only in response to questions raised by Markey in his letter. The report says the principles “send a meaningful message that automobile manufacturers are committed to protecting consumer privacy by ensuring transparency and choice, responsible use and security of data, and accountability.”
Nevertheless, this statement is qualified by concerns about how manufacturers interpret the principles and tempered by what Markey’s report calls “the alarmingly inconsistent and incomplete state of industry security and privacy practices.” The report calls on the National Highway Traffic Safety Administration (NHTSA) and the FTC to develop new standards to protect the privacy and security of drivers.
Wired opines that these voluntary principles may have been put forth by car manufacturers for at least one other reason; they sensed that new cybersecurity regulations for cars were becoming a possibility. Given Markey’s call for new standards, this fear may not be unfounded.
Regardless of what you believe the motives of car manufacturers are, the threats to your privacy and security are very real, and the findings from Markey’s report should give you an extra factor to consider as you shop for your next car.