Since hackers first began demonstrating that they could take over cars' digital systems to slam on brakes or hijack steering, most automakers have done everything they can to avoid publicly discussing whether their vehicles are vulnerable. Massachusetts Senator Edward Markey, however, has demanded answers on that car-hacking question. Now he's released his findings: the answers are messy at best, and dangerous at worst.
In a report published Monday, Markey's office revealed all the answers he received from a letter he sent to 20 automakers more than 14 months ago, quizzing them on their cars' and trucks' security and privacy measures. The results, according to the report, show that nearly all modern vehicles have some sort of wireless connection that could potentially be used by hackers to remotely access their critical systems. The company's protections on those connections are "inconsistent and haphazard" across the industry. And in addition to security weaknesses, Markey's survey also found that many auto companies are collecting detailed location data from their cars and often transmitting it insecurely.
Markey's report first came to light in a 60 Minutes episode Sunday night that showed an unnamed car's brakes being remotely disabled by a DARPA hacker. But Markey's office has now followed up by releasing its complete findings, which are embedded below.
"These findings reveal that there is a clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle or against those who may wish to collect and use personal driver information," the report reads. “We need to work with the industry and cyber-security experts to establish clear rules of the road to ensure the safety and privacy of 21st-century American drivers," added Markey in an emailed statement.
Markey's investigation was inspired when DARPA-funded hackers Charlie Miller and Chris Valasek demonstrated---with me behind the wheel---that they could cut a Ford Escape's brakes, slam on a Prius' brakes, monkey with the cars' steering, and much more. Their work was built off an earlier study by researchers at the Universities of Washington and California at San Diego, which showed that they could gain wireless access to those same critical driving systems.
Markey's report was careful not to associate any carmakers' answers with the company's name. But his report includes information from 16 automakers: BMW, Chrysler, Ford, General Motors, Honda, Hyundai, Jaguar Land Rover, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Toyota, Volkswagen, and Volvo. Aston-Martin, Lamborghini, and Tesla also received Markey's letter with questions on their cars' security, but did not respond.
Here are a few of the report's findings:
- "Nearly 100%" of vehicles on the market today include some sort of wireless connection that could potentially be used to gain access to sensitive systems or compromise privacy, including Bluetooth, Wi-Fi, and cellular signals.
- Seven of the companies said they used third-party testing to check their vehicles' security. Five said they don't, and four ignored the question.
- When asked if their vehicles monitored the CAN bus---the network of digitally-controlled components in the car---for malicious activity, half of the 16 automakers failed to respond to the question, many claiming that the answer was "confidential." Of the eight carmakers that did respond, two admitted they didn't currently have any CAN bus monitoring features, but planned to add them. Only two automakers said they had measures to safely slow down or stop a car that had become the victim of a hacker intrusion.
- An "overwhelming majority" of modern carmakers collect and store driving history information such as the car's physical location, and about half of the companies said they transmit that data to a third party's server. When asked about the security of that transmitted data, six of the companies made ambiguous references to encryption, IT security practices, and protecting personally identifiable information. The rest didn't answer.
The auto industry, perhaps sensing that new cybersecurity regulations for cars are becoming a real possibility, issued its own set of privacy principles through the Alliance of Automobile Manufacturers and the Association of Global Automakers late last year. In a statement to WIRED, Alliance spokesperson Wade Newton vaguely defended carmakers' cybersecurity practices, too, and pointed to a new group being created to share security information between companies.
"Auto engineers incorporate security solutions into vehicles from the very first stages of design and production---and security testing never stops," he writes. "The industry is in the early stages of establishing a voluntary automobile industry sector information sharing and analysis center---or other comparable program---for collecting and sharing information about existing or potential cyber-related threats. But even as we explore ways to advance this type of industrywide effort, our members already are each taking on their own aggressive efforts to ensure that we are advancing safety."
Here's the full report.
Markey Car Security Report by Andy Greenberg
