Car makers take "haphazard" approach to hacker threats

Major car manufactures are coming up short on security despite racing ahead with new smarts in cars that leave them exposed to remote hacking and privacy threats, according to a new report.

The claim is made in a report released by US Democrat Senator Edward J. Markey, who asked 16 major car manufacturers how they protected networked vehicles from hackers.

The report’s findings aren’t reassuring for buyers: it concludes that manufacturers have a “clear lack of appropriate security measures to protect drivers against hackers” who could either take control of vehicle or steal driver’s personal information.

The nightmare situation for drivers is if a hacker could commandeer a vehicle’s computerised control network and caused it accelerate, brake or tamper with the headlights.

The report is based on voluntary responses from BMW, Chrysler, Ford, General Motors, Honda, Hyundai, Jaguar Land Rover, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Toyota, Volkswagen (with Audi), and Volvo.

Questions ranged from how software updates are delivered to intrusion detection capabilities, however in many cases manufacturers didn’t respond to them, leaving an incomplete picture of the actual state of vehicle security. Aston Martin, Lamborghini and Tesla didn’t respond to the senator’s letter at all.

While all new cars on the market include “wireless entry points” in some form — whether they’re Bluetooth, wifi, keyless entry, or mobile network connectivity and telematics systems — the report found that “security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across all automobile manufacturers”.

Just five manufacturers confirmed they’d hired a penetration testing firm when asked whether they’re sought outside help to assess the security measures of their vehicles. Most either declined to answer the question or appeared to misunderstand it.

Only two manufacturers could explain that they had some way to detect and respond to an attack in real-time, while most pointed to technology deemed by experts to be ineffective for this purpose.

When asked what action in real-time they could block an attack, six manufacturers pointed to “appropriate actions” but cited a product recall, which wouldn't qualify as a real-time response. The only action that could work is a fail-safe mode and remote slow-down and immobilisation — however only manufacturer indicated this capability.

The report comes just a week after it emerged that BMW had recently patched a flaw in its Connected Drive system that researchers could exploit to remotely unlock the doors of its vehicles.

The other concern for drivers is how much data that vehicles are collecting and who manufacturers are sharing this data with.

The report found that on average 35 percent of vehicles can collect driver history information. Around half of these transit data wirelessly to a data centre, which in the majority of cases to a third-party provider. A total of 12 manufacturers said they collected and stored driving history data, of which eight sent to off-board, however no manufacturer sufficiently outlined how they protected that data either at rest or in transit.    
There was also no consistent data retention policy across the industry, with periods ranging from one to 10 years for five manufacturers, three that had no clear date for deletion, while for others it was indefinite.  

Read more: Car dealership beats security password sprawl with Centrify

Finally, customers aren’t told up front that manufacturers are collecting data, say for geolocation-based marketing. And if they are told, it often comes at the cost of a valuable driving feature, such as GPS. To top it off, the car making industry seems to be adopting the same terms and conditions documents that buyers of consumer technology rarely, if ever, read.

“Drivers have come to rely on these new technologies, but unfortunately the automakers haven’t done their part to protect us from cyber-attacks or privacy invasions. Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected,” said Senator Markey, a member of the Commerce, Science and Transportation Committee in a statement.

“We need to work with the industry and cyber-security experts to establish clear rules of the road to ensure the safety and privacy of 21st-century American drivers.” 

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Read more: Apple adds two-step verification to iMessage and FaceTime

Upcoming IT Security Events

March 3rd, March 5th, March 9th 2015

Read more: How SSL encryption gives a false sense of security

Join CSO for the day@#csoperspectives and hear from @kimzetter @LeviathanSec

3 International Keynote speakers, 36 Key IT Security Industry Speaker, 21 Exhibitors, Security Analysts and many more.. Register today

Dont miss one of the biggest IT Security events in ANZ (registration is free, but seats are limited)

Join the CSO newsletter!

Error: Please check your email address.

Tags Penetration testinghackersintrusion detectionwireless entry pointsnetworked vehichlesUS Democrat Senator Edward J. Markeyprivacy threatshacking

More about CSOEnex TestLabHyundaiIT SecurityJaguarSubaruTransportationVolvo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place