Gaps in security affect cars using wireless technology

Most vehicle manufacturers offer features that not only record but also transmit driving history wirelessly to themselves or to third parties

Large amounts of data on driving histories are harvested, frequently without consumers being explicitly aware that the information is being collected or how it will be used
Large amounts of data on driving histories are harvested, frequently without consumers being explicitly aware that the information is being collected or how it will be used

Serious gaps in security and customer privacy affect nearly every vehicle that uses wireless technology, according to a US report released on Monday. The report concludes that security measures to prevent hackers from gaining control of a vehicle's electronics are "inconsistent and haphazard," and that the majority of automakers do not have systems that can detect breaches or quickly respond to them.

"Drivers have come to rely on these new technologies, but unfortunately the automakers haven't done their part to protect us from cyber-attacks or privacy invasions," said Senator Edward Markey, whose office published the report after obtaining detailed information from 16 car manufacturers.

In addition to finding “a clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle” or hackers who wish to “collect and use personal driver information”, the report expressed concerns over how automakers track drivers’ behaviour and collect, transmit and store that information.

Data harvested

READ MORE

The report found that large amounts of data on driving histories are harvested, frequently without consumers being explicitly aware that the information is being collected or how it will be used.

At least nine car manufacturers use third-party companies to collect vehicle data, which can make consumers even more vulnerable, and some also transmit that data to third-party data centres.

“This reveals that a majority of vehicle manufacturers offer features that not only record but also transmit driving history wirelessly to themselves or to third parties,” according to the report.

The information collected includes where drivers have been, like physical location recorded at regular intervals, the last location they were parked, distances and times travelled, and previous destinations entered into navigation systems.

A host of diagnostic data on the car is also captured.

The findings in the report are based on information received from BMW, Fiat Chrysler, Ford, General Motors, Honda, Hyundai, Jaguar Land Rover, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Toyota, Volkswagen and Volvo.

Aston Martin, Lamborghini and Tesla did not respond to the requests.

Technological innovations for vehicles are expanding rapidly: safety features powered by radars, lasers and cameras are available in some vehicles and coming to more, and vehicle-to-vehicle communication – in which cars can share information – is expected to be available in the near future.

At the same time connecting cars to the internet means that more vehicles have smartphonelike interfaces that allow for new possibilities, but also carry inherent risks.

In November, two US motor industry trade groups – the Alliance of Automobile Manufacturers and the Association of Global Automakers – tried to address consumer concerns by publishing a set of voluntary privacy principles aimed at limiting the use of vehicle data for marketing purposes. The principles called on motor manufacturers to collect information “only as needed for legitimate business purposes”.

‘November Principles’

According to the report, the phrase “legitimate business purposes” is vague enough to allow for all kinds of collection, and asserts that clear federal rules should be established for what are permissible and appropriate uses of drivers’ data.

Ford and Toyota declined to comment on the report. Fiat Chrysler and GM referred questions to the Alliance of Automobile Manufacturers.

Wade Newton, a spokesman for the trade group, said “automakers believe that strong consumer data privacy protections and strong vehicle security are essential to maintaining the continued trust of our customers” and cited the November principles as a way that the industry was taking proactive steps.

“Auto engineers incorporate security solutions into vehicles from the very first stages of design and production – and security testing never stops,” he said. Auto companies post privacy policies in their owner’s manuals and on corporate websites, he said, and they “pledge to provide heightened protections to the most sensitive types of consumer information – protections that go beyond similar principles in other industry sectors”.

Copyright New York Times service 2015