Markey Car Security Report Just the Start for Automakers

Type threatpost
Reporter Dennis Fisher
Modified 2015-02-11T20:14:45


This may come as a surprise to one of you, but it turns out that computers and, by extension, things that contain computers, are vulnerable to attackers. That includes cars, something that the United States government has now discovered, and Sen. Edward Markey is now warning consumers that “automakers haven’t done their part to protect us from cyber-attacks or privacy invasions.”

In the last decade or so, vehicles have slowly transformed from personal conveyances to rolling entertainment and communications platforms. The trend began, as they usually do, at the high end of the market, with premium manufacturers adding satellite radio, Bluetooth connectivity, on-board computers with access to Facebook and Pandora and, later, WiFi hotspots, to their vehicles. These features quickly became standard offerings on cars and trucks up and down the product lines of nearly all automakers, to the point that now, Chevrolet is offering WiFi on all of its vehicles.

This stuff is all great. It enables drivers to get real-time traffic and navigation information, detailed diagnostic data on their vehicles and allows passengers to watch Netflix and tweet photos of their drive-through meals in a desperate attempt to avoid talking to one another. But all of those wonderful features that enable you to bring your life with you everywhere you go also collect a lot of data about what you’re doing with that life and where you’re going.

Markey, a Massachusetts Democrat, wanted to see what exactly the automakers are collecting and what they’re doing with that data, and also have a look at the security of these systems. So he sent a questionnaire to nearly 20 manufacturers and asked them to explain themselves. Some answered, some didn’t (we see you, Tesla). And the answers were kind of all over the place.

Do automakers have security measures to to prevent remote access to cars’ systems? Eh, maybe. Can they respond to attacks on vehicle systems? Mmmm, not really. Do they collect a metric ton of personal data and use it for lots of stuff you don’t know about? You bet!

“Drivers have come to rely on these new technologies, but unfortunately the automakers haven’t done their part to protect us from cyber-attacks or privacy invasions. Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected,” said Markey, a member of the Commerce, Science and Transportation Committee. “We need to work with the industry and cyber-security experts to establish clear rules of the road to ensure the safety and privacy of 21st-century American drivers.”

> The auto industry is the opposite of the tech industry. It moves at a glacial pace and innovates only when forced to. > > Tweet

One of the things that precipitated this interest from Markey and others in Washington is the research on car hacking from folks such as Charlie Miller and Chris Valasek. They have shown beyond a shadow of a doubt that some of these on-board systems are vulnerable to both local and remote attacks and that the automakers are not great at responding to this threat. Actually, they’re not even mediocre at responding. They’re Microsoft circa 1999 at responding.

That should not be even mildly surprising to anyone, especially a member of Congress. That particular legislative body has spent more than a century regulating, negotiating with and compromising with the auto industry, and its members know full well how the manufacturers operate. The phrase that best describes that modus operandi is, We do what we want.

The auto industry is the opposite of the technology industry. It moves at a glacial pace, innovates only when forced to and gives customers whatever it feels like building, not what the customers want. This is not a group that is likely to smack its collective forehead at the release of a senator’s report and say, We’ll get right on that for you.

Markey’s report shows that the automakers were pretty unprepared for his questions, which may be the most concerning thing in all of this. If an automaker installs a new braking system or an engine that runs on wheat grass, Washington will have many, many questions. The manufacturers are used to this dynamic and they should have been ready for some inquiries on all of the computers and other gear they’re cramming into their vehicles and what’s being done with all the data they’re collecting.

But they weren’t. And they’re well behind the hacker community in assessing the security risks of these systems, so there is blood in the water there, as well. This is just the beginning for this line of questioning.

“These findings reveal that there is a clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle or against those who may wish to collect and use personal driver information,” Markey’s report says.