Virtually all “connected cars” on the road are vulnerable to hackers who could steal data or gain control of the vehicle, a report from a US senator said Monday.
The report prepared by the staff of Senator Ed Markey said the wireless connectivity and Internet access available on the vehicles opens up security gaps that could be exploited for malicious purposes.
The study found these security weaknesses in “nearly 100 percent of cars on the market” and noted that most automobile manufacturers were unaware of or unable to report on past hacking incidents.
The senator’s staff, which collected data from 16 major auto manufacturers, cited earlier studies on some vehicles which showed how hackers can get into the controls of some popular vehicles, causing them to suddenly accelerate, turn, de-activate brakes, activate the horn, control headlights, and modify the speedometer and gas gauge readings.
The report also noted that many of these connected cars collect data on driving that could be kept in violation of privacy.
It said that the “alarmingly inconsistent and incomplete state of industry security and privacy practices” raises questions about the need for new US rules from the National Highway Traffic Safety Administration (NHTSA) or other federal agencies.
“Drivers have come to rely on these new technologies, but unfortunately the automakers haven’t done their part to protect us from cyberattacks or privacy invasions,” Markey said in a statement.
“Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected.”
The report said the manufacturers appeared to take little or no action following disclosures from researchers in 2013 and 2014 about these vulnerabilities.
The report pointed out that hackers can gain access to a car via Bluetooth wireless connections, the OnStar system for remote assistance, malware in an Android smartphone which is paired with the vehicle, or even an infected CD in the car sound system.
“These findings reveal that there is a clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle or against those who may wish to collect and use personal driver information,” the report said.
The report obtained responses from 16 major global manufacturers: BMW, Chrysler, Ford, General Motors, Honda, Hyundai, Jaguar Land Rover, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Toyota, Volkswagen and Volvo.
Letters were sent to Aston Martin, Lamborghini and Tesla, but those manufacturers did not respond.
The study noted that the two major coalitions of automobile manufacturers recently issued a voluntary set of privacy principles by which their members have agreed to abide but said it was not clear how these principles would be interpreted.
The US-based Alliance of Automobile Manufacturers said in a response to an AFP query that it had not seen the report but that its members “believe that strong consumer data privacy protections and strong vehicle security are essential to maintaining the continued trust of our customers.”
The statement added that automakers “pledge to provide heightened protections to the most sensitive types of consumer information — protections that go beyond similar principles in other industry sectors “