11 February 2015
Even though professional hackers have repeatedly shown how they can remotely attack cars, vehicle manufacturers aren’t doing much to protect their systems, nor do they appear to care much for drivers’ privacy, Senator Edward J. Markey has claimed in a report out today. Senator Markey sent out letters to a slew of automotive players, asking them to describe the connectivity within their cars and what measures they had in place to prevent malicious hackers from gaining control over a vehicle or from invasions of privacy.
Markey received a hodgepodge of terse or vague responses from the different manufacturers, including BMW, Chrysler, Ford, General Motors, Honda, Hyundai, Jaguar Land Rover, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Toyota, Volkswagen and Volvo. For instance, when asked about how they would protect against a real-time attack on an automobile, six of the manufacturers failed to respond, whilst another six “responded with vague mentions of security systems and ‘taking appropriate actions’”, the report read. Only four said that some of the communications and data passed around their in-car networks were encrypted or protected with security technologies.
“Drivers have come to rely on these new technologies, but unfortunately the automakers haven’t done their part to protect us from cyber-attacks or privacy invasions. Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected,” said Senator Markey, a member of the Commerce, Science and Transportation Committee, who sent his letter demanding answers on the car hacking threat in 2013.
As Forbes has reported in recent months, cars can be attacked remotely, but it’s the third party suppliers that seem to be the weak link rather than the manufacturers’ vehicles themselves. Though remote attacks have been seen on a handful of occasions, in research settings, few have detailed actual vulnerabilities that can be successfully exploited by hackers sitting anywhere in the world. Researcher Corey Thuen, however, recently explained to Forbes how vulnerabilities in a Progressive Insurance dongle for cars’ OBD-2 ports might be hacked to take control over vehicles from afar. Just last year, ex-members of Israel’s NSA equivalent, Unit 8200, said they had found exploitable weaknesses in another dongle, made by US vendor Zubie. Again, this would have allowed for remote car hacking, they claimed. Just last month, BMW had to push out an update to its Connected Drive service, after it found a bug that could have been abused to open up car doors.
Though the hacking of cars’ kinetic elements have made headlines, it’s becoming apparent that vehicles also collect a lot of interesting data on drivers themselves, placing their privacy at risk. Senator Markey found that most manufacturers collect data on customers, but often drivers are “not explicitly made aware of data collection and, when they are, they often cannot opt out without disabling valuable features, such as navigation”.
Markey’s report was somewhat limited because it relied on honesty from vehicle manufacturers. And herein lies one of the biggest problems in this niche corner of the security industry: car makers are being purposefully reticent on the issue. They don’t want to admit there’s a problem. As soon as they do, they risk scaring motorists away from their products. It’ll likely take a nasty shock, either from a researcher with some cajones or some catastrophe, to get the industry talking.
Source – http://www.forbes.com/sites/thomasbrewster/2015/02/09/car-makers-wont-admit-cyber-problem/