Modernizing Authentication — What It Takes to Transform Secure Access
U.S. Senator Edward Markey (D-Mass) recently released a report warning that cars and trucks are vulnerable to cyber attacks.
The report, entitled "Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk" [PDF], is based on responses from 16 major auto manufacturers to questions regarding vehicle tracking systems and information security.
Markey was prompted to pose the questions by high-profile demonstrations, including one at DEF CON 21 by researchers Charlie Miller and Chris Valasek, of how easy it could be for hackers to take control of vehicles' electronic systems.
"Drivers have come to rely on these new technologies, but unfortunately the automakers haven't done their part to protect us from cyber attacks or privacy invasions," Markey said in a statement. "Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected."
Key findings in Markey's report include the following:
- Nearly 100 percent of cars on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions
- Most automobile manufacturers were unaware of or unable to report on past hacking incidents
- Security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across all automobile manufacturers, and many manufacturers did not seem to understand the questions posed by Senator Markey
- Only two automobile manufacturers were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real time, and most say they rely on technologies that cannot be used for this purpose at all
- Automobile manufacturers collect large amounts of data on driving history and vehicle performance
- A majority of automakers offer technologies that collect and wirelessly transmit driving history data to data centers, including third party data centers, and most do not describe effective means to secure the data
- Manufacturers use personal vehicle data in various ways, often vaguely to "improve the customer experience," and usually involving third parties, and retention policies -- how long they store information about drivers -- vary considerably among manufacturers
- Customers are often not explicity made aware of data collection and, when they are, they often cannot opt out without disabling valuable features, such as navigation
"The alarmingly inconsistent and incomplete state of industry security and privacy practices, along with the voluntary principles put forward by industry, raises a need for the National Highway Traffic Safety Administration (NHTSA), in consultation with the Federal Trade Commission (FTC) on privacy issues, to promulgate new standards that will protect the data, security and privacy of drivers in the modern age of increasingly connected vehicles," the report states.
Eric Chiu, president and co-founder of HyTrust, told eSecurity Planet by email that Markey's concerns are highly relevant in the wake of recent high-profile breaches at Sony, Anthem, Target and others. "In the dawn of the Internet of Things, security has to be a top priority given how much our daily lives are now being tracked by our connected devices, and lives are at stake with computerized cars," he said.
Malwarebytes head of malware intelligence Adam Kujawa said by email that convenience often trumps security with newer technologies like these. "As far as attacks against cars, so far we have seen a few proofs of concept that show being able to control a vehicle by exploiting its computer system, but most of these require specialized equipment in addition to a close proximity/physical access to the vehicle," he said.
"But this is only the tip of the iceberg, as vehicles will become more connected as the technology and need grow, and if there aren’t proper security protocols set in place, we could be in for a lot of trouble," Kujawa added.
Photo courtesy of Shutterstock.