Auto industry not protecting cars from hacks

Car manufacturers have not done enough to protect cars from getting hacked, according to a report released Monday by Sen. Ed Markey (D-Mass.).

Based on information from 16 automakers, Markey’s investigation concluded that vehicles’ security measures are “inconsistent and haphazard.” Additionally, few auto manufacturers are able to detect and respond to hacks.  

{mosads}“Drivers have come to rely on these new technologies, but unfortunately the automakers haven’t done their part to protect us from cyberattacks or privacy invasions,” Markey said in a statement. “Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected.”

A growing body of research has revealed the myriad ways in which hackers can remotely infiltrate a vehicle. A 2014 study showed that hackers could remotely take control of an automobile through a number of common features — Wi-Fi, keyless locks and Bluetooth, for instance.

The findings spurred Markey to send letters to 20 automakers with inquiries about their security measures.

The responses revealed automakers have no plan to deal with, or even monitor, these types of threats. Only two of the 16 car makers could point to any technology that detected such infiltrations. The report said manufacturers “did not seem to understand” the questions Markey had posed.

“There is a clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle or against those who may wish to collect and use personal driver information,” the report said.

Automakers are, however, collecting considerable amounts of information from the car. The report found that features like a car’s built-in navigation system are sending detailed information to third-party companies, with no clear explanation for how it is being used.

“Manufacturers use personal vehicle data in various ways, often vaguely to ‘improve the customer experience,’ ” the report said. “Customers are often not explicitly made aware of data collection and, when they are, they often cannot opt out without disabling valuable features, such as navigation.”

Overall, the report said, the auto industry’s security and privacy practices are “alarmingly inconsistent and incomplete.”

The major automobile industry groups did recently issue voluntary privacy principles for their members. This sent “a meaningful message,” the report said but left questions about how the document would be interpreted or implemented.

Markey wants the National Highway Traffic Safety Administration to work with the Federal Trade Commission on “clear rules of the road — not voluntary agreements.”

Such standards would require automakers to meet certain data security requirements, test car’s wireless features for their vulnerability to hacks, and give drivers a more transparent way to understand and opt out of data collection.