Sen. Markey wants to know: Can your car be hacked?

The Massachusetts senator is asking what carmakers are doing to prevent hacks of navigation, tire pressure, braking systems

The growing integration of wireless technologies in automobiles has prompted some well-publicized fears about hackers taking control of cars to disable brakes and to take over navigation, steering, acceleration, tire pressure and other systems in a vehicle.

That prompted Sen. Edward Markey (D-MA) this week to ask what automakers are doing to protect vehicles from wireless hacking threats and privacy intrusions.

In a letter ( download PDF) to CEOs of 20 of the world's largest automakers, Markey asked a series of detailed technical questions about the vulnerability of vehicles to wireless security and privacy threats. Among the companies asked to respond are Ford, Toyota, Volvo, BMW, Chrysler, Mercedes and Nissan.

The letter pointed to a recent study by the Defense Advanced Research Projects Agency (DARPA) in which two researchers demonstrated how they could take control of a vehicle through the controller area network (CAN) used by devices in a car to communicate with each other.

The study, conducted by security researchers Charlie Miller and Chris Valasek, showed how attackers could send different commands to the electronic control units in a car and cause it to brake or accelerate suddenly or jerk its steering wheel in different directions.

In that study, the researchers needed physical access to the CAN bus to carry out the attack. However, previous research has shown that similar attacks can be carried out wirelessly by accessing the CAN bus through Bluetooth connections, compromised Android smartphones, vehicle tracking and navigation systems like OnStar and compromised files on music CDs, Markey noted in his letter.

Stuart McClure, CEO of Cylance, which performs security assessments for several companies -- including automakers -- said the auto industry is a prime target for hacking and disruption. "Many in the industry try desperately to stay ahead of the bad guys, but unfortunately, few guidelines and little oversight produce farm fresh opportunities for the bad guys," he said.

Few controls exist to prevent hackers from breaking into automobiles wirelessly and taking control of systems, McClure said. But because hackers are unlikely to gain much by breaking into individual automobiles, he said they're unlikely to spend much time hacking vehicles. The only scenario where such a threat would be likely is if someone wanted to carry out a targeted attack against a specific individual.

In addition to security fears, there are privacy concerns related to the use of navigation systems and technologies that gather vehicle performance information, Markey said in his letter.

As an example, he pointed to an OnStar proposal to sell vehicle and driver information such as location, seat-belt use, airbag deployment, speed and other data to third parties. Markey's letter also highlighted an incident in which Tesla Motors allegedly collected data about a reporter's driving habits during a test drive to rebut a negative review of the vehicle by the reporter.

"As vehicles become more integrated with wireless technologies, there are more avenues through which a hacker could introduce malicious code, and more avenues through which a driver's basic right to privacy could be compromised," he said.

Markey wants automakers to provide details on the tests used to identify vulnerabilities in all the wireless entry points to their vehicles and whether they conducted security assessments on their own or farmed the task out to third parties.

The surprisingly detailed letter asked the automakers to provide information on any instances in the past five years where they learned of vulnerabilities in a wireless entry point to their vehicles, how they responded to the information and whether the issue was reported to authorities. Markey also asked about the data collected by the automakers via navigation and performance reporting systems and how that information was shared and used by the companies.

Automakers have until Jan. 4 to respond.

Wade Newton, communications director at Auto Alliance, an industry trade group comprised of Ford, General Motors, Chrysler, Mercedes-Benz, Toyota, Volvo and six other automakers downplayed the concerns.

"Automakers take cybersecurity extremely seriously," Newton said in an emailed statement,. "As cars and other forms of transportation increasingly incorporate in-vehicle computer systems to help with everything from safety to navigation, cybersecurity is among the industry's top priorities and the auto industry is working continuously to enhance vehicle security features."

Newton noted that computer technology has made possible dramatic safety improvements in areas like airbag deployment and vehicle stability and theft-prevention. In addition, organizations such as the International Society of Automotive Engineers are working on projects to evaluate security challenges and technology for addressing them, he said.

The automobile industry is also studying best practices in areas such as patch management, intrusion detection and prevention and cloud security from airlines, railway and other industries, he said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is

See more by Jaikumar Vijayan on

Read more about emerging technologies in Computerworld's Emerging Technologies Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingEmerging Technologiesnissansecurityhardware systemsMercedesDARPAbmwVolvoprivacyToyota

More about BMW Group AustraliaDefense Advanced Research Projects AgencyHolden- General MotorsNissan AustraliaOnStarTopicToyota Motor Corp AustVolvo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place