Every computer device is vulnerable to malware, and every Internet connection is hackable. In other words, any “smart” device (read: anything computerized and connected) is vulnerable, including smartphones, smart TVs, and smart cars.
Indeed, the problem with vehicles is bad enough that security researchers already rate cars not according to their fuel efficiency or engine power, but by how easily hackers might gain control of their key systems, including steering and braking.
The safety and security of smart vehicles on public roads is also of obvious interest to members of the Senate's Commerce, Science and Transportation Committee, so this week, committee member Senator Ed Markey of Massachusetts released a staff report titled Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk.
Last year, Markey's office asked 19 different vehicle manufacturers about their cars' vulnerability to hackers. Sixteen of them responded, and the results comprise the bulk of Markey's report. The statement his office released this week says in part that:
“The responses from the automobile manufacturers show a vehicle fleet that has fully adopted wireless technologies like Bluetooth and even wireless Internet access, but has not addressed the real possibilities of hacker infiltration into vehicle systems. The report also details the widespread collection of driver and vehicle information, without privacy protections for how that information is shared and used.”
In other words: hacking, or unauthorized access, isn't the only potential problem with such vehicles – there's also the huge amount of information made available to authorized agents of the manufacturers. Or, in the dry language of congressional press releases: “Additional concerns came from the rise of navigation and other features that record and send location or driving history information.”
If consumers are worried about privacy or hacking-security matters, can they vote with their wallets, and buy vehicles without such vulnerabilities? Not necessarily; the report's summary lists its eight major points, with the first one being: “Nearly 100 percent of vehicles on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.”
How big of a problem is car hacking, anyway? Nobody knows; the summary's second highlight says that “Most automobile manufacturers were unaware of or unable to report on past hacking incidents.”
The rest of the summary is just as discouraging. The report notes that “Automobile manufacturers collect large amounts of data on driving history and vehicle performance” – another way of saying “Whoever made your car knows exactly when and where you drive and park it.”
The report also says, “A majority of automakers offer technologies that collect and wirelessly transmit driving history data to data centers, including third-party data centers, and most do not describe effective means to secure the data.”
Translation: Whoever made your car not only knows exactly when and where you drive and park it, but makes it easy for hackers to know all this, too.
Markey's full report is available in .pdf form here.