Future Tense

Report: Wireless Systems in Cars and Trucks Are Woefully Insecure

Not the only way to break into a car anymore.

Photo from Shevelev Vladimir/Shutterstock

Technology features like Bluetooth, hands-free navigation, and Internet connectivity have become increasingly common in cars and trucks. But a new report from Sen. Edward J. Markey, a Democrat from Massachusetts, says that these features are often insecure, and that vehicle systems largely haven’t been designed with cybersecurity in mind.

The report echoes other research that has detailed security concerns in many vehicle models. Markey, who is a member of the Commerce, Science, and Transportation Committee, wrote that the auto industry is “alarmingly inconsistent and incomplete” in implementing security and privacy measures. He recommended that the National Highway Traffic Safety Administration work with the Federal Trade Commission to implement standards. “Drivers have come to rely on these new technologies, but unfortunately the automakers haven’t done their part to protect us from cyber-attacks or privacy invasions,” he said in a statement.

The report is mainly concerned with strategies hackers could use to gain remote vehicle access and wreak havoc from afar. It also calls out automakers for a lack of onboard diagnostic tools to detect digital intruders. And in addition to physical safety threats from hacks that could control a car’s door locks, navigation, or even steering, the report also notes that vehicle data such as driving history could be compromised in a breach.

The report incorporates responses from BMW, Chrysler, Ford, General Motors, Honda, Hyundai, Jaguar Land Rover, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Toyota, Volkswagen/Audi, and Volvo. Aston Martin, Lamborghini, and Tesla didn’t respond.

The rise in networked features in cars, not surprisingly, corresponds to a spike in car hacks, as researchers (and presumably criminals) are uncovering vulnerabilities. In a survey of the situation from September 2013, the Independent published comments from Audi, Ford, Mercedes-Benz, and Toyota explaining what each company was doing to reduce cybersecurity risk. But 18 months later, Markey’s report seems to indicate that the industry as a whole hasn’t made progress. It says:

The diversity of responses received by Senator Markey shows that each manufacturer is handling the introduction of new technology in very different ways, and for the most part these actions are insufficient to ensure security and privacy for vehicle consumers.

One interesting finding was that most car companies that submitted responses for the report weren’t able (or chose not to) detail past incidents of vehicle hacking. Three companies didn’t respond to a question about past hacks of their vehicles. Twelve said they weren’t aware of any incidents. Only one company said it was aware of vulnerabilities related to its vehicles.

As the New York Times points out, two trade groups—the Alliance of Automobile Manufacturers and the Association of Global Automakers—voluntarily released “Privacy Principles for Vehicle Technologies and Services” in November to provide information on security efforts in the industry.

It seems, though, that crowbars still have competition for the easiest way into new cars.