10 Feb 2015
That snazzy new car may be looking a little less appealing right now, following this week’s 60 Minutes show on car hacking, teamed with a Senator’s report detailing how wireless technologies in new cars can be exploited by both criminals and marketing mavens. Bottom line: the chances of your car being hacked, right now and in the near future, to the point that your life and safety are in danger, is infinitesimal. The attack demonstrated in the 60 Minutes spot – causing a car to lose its braking ability via what appeared to be a denial of service attack aimed at the car’s OnStar system – along with other proof of concept attacks, were done under controlled conditions. There is currently no known real-world case of a car being hacked remotely. Privacy And Security While the media has focused heavily on the hacking threats detailed in the recently released report by U.S. Sen. Edward J. Markey (D-Massachusetts), the report also indicates that over-enthusiastic data collection from vehicles is a significant issue. The report highlights concerns about data detailing car owner’s driving histories being collected and sent to third-party data centers, where little information is available on how the data is secured in transit or storage. Car companies state that the personal vehicle data is used in various ways, often to “improve the customer experience.” Opting out, when possible, typically requires disabling features such as GPS navigation. In November, two auto industry trade groups — the Alliance of Automobile Manufacturers and the Association of Global Automakers —published a set of privacy principles that, among other suggestions, called on automakers to collect information “only as needed for legitimate business purposes.” That’s a statement that is vague to the point of utterly useless, obviously, and points clearly to the industry’s desire to monetize all the data it can possibly collect from its automobiles. That’s fine, as long as consumers can easily opt out. When it comes to hacking the waters get murkier. The Markey report is based upon information from 16 car companies that responded to a December 2013 request from Markey’s office. The report claims that “many manufacturers did not seem to understand the questions” posed by Senator Markey. “Only two automobile manufacturers were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real-time, and most say they rely on technologies that cannot be used for this purpose at all.” The report says vehicles are vulnerable to hacking through wireless networks, smartphones, infotainment systems like OnStar, or a CD harboring malware inserted into a car’s player. Protecting your Car (and Privacy) As cars become increasingly part of the Internet of Things, car manufacturers need to be as security and privacy focused. The potential threat is real – logic tells us that a smart, connected device that’s not engineered with security in mind is going to have vulnerabilities that can be exploited. The proofs of concept are intriguing but aren’t indicative of an immediate threat. And sadly, as of now, there’s not much else that the average car owner can do to secure a vehicle, apart from driving analog models. Now is the time to start talking to car dealers and automobile makers about security. Ask how their vehicle’s digital systems are secured against malicious hacking. Ask about intrusion monitoring systems, and how the manufacturer expects to handle any problems that might be discovered later. Last month, BMW fixed a security flaw with an over-the-air software update, closing a vulnerability that could have allowed up to 2.2 million vehicles to have their doors remotely opened without authorization. Not all automakers currently have the capability to update OTA, which could conceivably lead to recalls for software updates. You may also want to ask exactly what data is collected by the car’s onboard systems, how it is secured, and how you can opt out of any data collection that you choose not to participate in. Dealers may not be able to answer these questions; you may need to go directly to the manufacturer.