Smart cars are savvy, technologically advanced, and computerized devices connected to navigation and entertainment systems, but they also record personal data and have the potential to be hacked. Who owns that information, how it is shared, and how manufacturers can protect against hacking remains unregulated, which is why Sen. Edward Markey (D-Mass.) wants drivers protected.
Last month, Sen. Markey a member of the Commerce, Science and Transportation Committee released the report, Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk, in which he argues that, "the automakers haven't done their part to protect us from cyber-attacks or privacy invasions." A firestorm of new segments from, "60 Minutes" to "CBS This Morning" cautioned "nearly all new cars on the road are vulnerable to hacking." The question remains, are smart cars putting sensitive data at risk?
If a hacker is able to break into the computer system of a particular car, it is possible to virtually govern the car. Scott Morrison, distinguished engineer at CA Technologies agreed, "If you lose control of the car or car features to someone else over the internet, it is a safety issue."
Joshua Corman Co-Founder of www.iamthecavalry.com contended that the physical risks are a growing concern in automobile security. "I love my privacy, I'd like to be alive to enjoy it," he said. Recognizing the real potential for physical harm is paramount to Corman, whose 5 star automotive cyber safety framework asks auto industries, among other questions, "Do you have a published attestation of your Secure Software Development Lifecycle, summarizing your design, development, and adversarial resilience testing programs for your products and your supply chain?"
Chris Valasek, director of Vehicle Research Security at IO Active said, "The question I like to ask is, 'Are you afraid of being assassinated now?' If the answer is no, physical harm from an auto attack is very unlikely." Access to personal data is common, but access to the car's electronic control units (ECU) is far less likely. According to Valasek. "The barrier of entry is really high" because the collecting and sharing of information "doesn't work universally."
However, Corman argued that the claim that hacking is expensive is too dismissive. "Most security concerns have been about credit cards and financial adversaries," said Corman, "but I like to remind people that we are now exposed to the whole spectrum of human capabilities. It's not an 'if' it's a 'when' one should expect a failure. All computers get compromised." Cars can be hacked, but "All cars are different," Valasek said, "Ford has a different message than BMW." Hacking into a car's computer system is very difficult and very costly, which is in part why there isn't a lot of hard evidence on the physical risks to consumers.
Corman disagreed referencing an investigative report in which auto hacker Craig Smith used a dongle to allow a hacker in New York to hack into a car 3,000 miles away in Seattle. Though Corman agreed that physical safety isn't an imminent threat, he said, "I'd like to rely more on 'they can't' [hack into my car]. I don't want to rely on a hope that they won't."
While the use of technology in smart cars affords consumers a variety of conveniences and luxuries, "many don't understand what the implications [to their privacy] are," Markey contended. In his report, Markey identifies several concerns beyond physical safety.
Scott Morrison agreed that "the car is a powerful data collection point and its connectivity may link it to even more sensitive data than your location, how you drive and what you listen to on the radio." Data is collected in smart cars and is being kept by the automotive industry and can be shared with third parties.
Personal information is more accessible, particularly because computers can see a Bluetooth address which could then be broadcast to the world. Depending on how data is being collected and with whom it is being shared, it is possible, according to Markey's findings, for third parties to "utilize information on drivers' habits for commercial purposes without the drivers' knowledge or consent."
Automotive manufacturers need to be more transparent with the consumer, providing clear and comprehensible facts on how their private information is being tracked and stored. Morrison said, "The [privacy] risk comes around the data: who owns the data and how you create a relationship with who is seeing the data. We need to understand who the custodian is of our private information. One of the biggest challenges we have around data and protection is creating very narrow controls around it."
Some of the uses for that data might protect consumers, such as road side assistance, but there are no clear guidelines on how that collected data can be shared. Morrison explained that "Beyond roadside assistance, one example is seen in the insurance industry. If your automobile is sharing data with the insurance company about your driving habits, such as speed and operations, it can result in a discount or rebate on insurance." While a discounted rate on insurance might save consumers some money, Morrison also pointed out that, "Depending on the application, data shared from your vehicle may connect to or transmit information that includes your Social Security number and address, and that information can be used for fraud or other nefarious purposes."
The conversations about privacy protection are ongoing, but the second part of Markey's report highlights the inconsistencies that exist among the automotive industry. Markey found that, "automakers offer technologies that collect and wirelessly transmit driving history information to data centers, including third-party data centers, and most did not describe effective means to secure the information," and he wanted to know what manufacturers are doing to protect the privacy and physical safety of consumers.
Morrison recognized, "The manufacturers are trying to make life better for the consumer. An approach of 'inform and consent' may put consumers more at ease. And the recently formed automobile ISAC (information sharing and analysis center) will help to gain a better understanding of the threats and how to combat them." Morrison said, "To me the biggest question is how to ensure our personal data is being secured and that the manufacturers and their partners are being good custodians of our information."
The one commonality that all automotive manufacturers have is the growing concern about safety and privacy protection. Many including Morrison argued that, "The industry needs to establish a 5-star data protection rating to complement its 5-star crash rating. Then being a good custodian of information almost becomes self-regulating just to stay competitive."
Being proactive will help to combat current and future threats for the consumer. "We want to start thinking about security/privacy before it becomes an eminent threat," Valasek said. Automotive industries want to build in security measures as they are designing new products. Valasek said, "we need to create security measures as we build rather than dealing with them later." Corman wants more. "We need to be prepared for the inevitable fact that computers on wheels will be hacked," he said, and he contended that, "a merging of the foundational capabilities proposed by www.iamthecavalry.com with a driver's bill of rights" would be an elegant solution toward protecting consumers.
Kacy Zurkus is a freelance writer based in Massachusetts.