Senator's report cites cars' data security holes

By Ryan Beene, Crain News Service

WASHINGTON (Feb. 10, 2015) — Connectivity technologies have made automobiles vulnerable to hackers who could gain control of vehicle functions or compromise the security of vehicle data, according to a report released Feb. 9 by a leading congressional voice on auto safety.

Vehicle systems such as navigation, Bluetooth connectivity, Wi-Fi hotspots, telematics systems such as General Motors Co.'s OnStar, tire pressure monitoring systems (TPMS) or even a CD loaded with malicious code are avenues that can be exploited to disrupt vehicle functions and data, said the report issued by U.S. Sen. Edward Markey, D-Mass.

The report was based on the responses to questions Sen. Markey's office sent in December 2013 to 20 auto manufacturers about how they approach data security and privacy. The responses, according to the report, showed that security measures to prevent hacking of vehicle systems and how auto makers store data collected from onboard vehicle systems varied widely from company to company.

The report called for federal agencies to establish security standards, saying the industry's disparate approaches have been “for the most part…insufficient to ensure security and privacy for vehicle consumers.”

Cohesive approach

Since Sen. Markey's inquiry began, auto makers have in fact taken steps to develop a more cohesive approach to some of the issues highlighted in the report. Last November, the industry's two main trade associations — the Alliance of Automobile Manufacturers and Global Auto makers — issued a set of privacy principles intended to prevent the misuse of vehicle data and agreed to seek a consistent approach to security and data privacy.

BMW, Fiat Chrysler, Ford, General Motors, Hyundai-Kia, Mazda, Mercedes-Benz, Toyota, Volvo and Volkswagen Group agreed to adopt the principles when they were released.

“Auto makers recognize that as modern cars not only share the road but will in the not too distant future communicate with one another, vigilance over the security of vehicle and privacy of our customers is imperative,” Global Auto makers said in a statement.

“As vehicles continue to become more integrated with wireless technology, there are more avenues through which a hacker could introduce malicious code, and more avenues through which a driver's basic right to privacy could be compromised.” — Sen. Ed Markey's report

Sen. Markey's report praised the principles as an important first step, saying they sent “a meaningful message” about the industry's commitment to data security and privacy concerns. But the report also noted that the implementation of data use, security and accountability measures outlined in the industry's privacy guidelines were left to the discretion of each auto maker.

New rules

Sen. Markey's report called for the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to develop new rules requiring security measures to:

• Prevent connected vehicles from being hacked;
• Explicit disclosure to customers about what data are being collected and how they are being used; and
• A provision that allows customers to opt out of data collection programs.

“As vehicles continue to become more integrated with wireless technology, there are more avenues through which a hacker could introduce malicious code, and more avenues through which a driver's basic right to privacy could be compromised,” Sen. Markey's report said. “These threats demonstrate the need for robust vehicle security policies to ensure the safety and privacy of our nation's drivers.”

Meanwhile, industry trade groups say that auto makers are working individually and collectively on key security issues.

“The industry is in the early stages of establishing a voluntary automobile industry sector information sharing and analysis center — or other comparable program — for collecting and sharing information about existing or potential cyber-related threats,” the Auto Alliance said in a statement.

“But even as we explore ways to advance this type of industrywide effort, our members already are each taking on their own aggressive efforts to ensure that we are advancing safety.”

This report appeared on the website of Automotive News, a Detroit-based sister publication of Tire Business.