NEW YORK — Car makers are not doing enough to protect your safety and privacy from hackers, according to a new report from Senator Ed Markey.
We don’t yet live in a world where hackers can crash your car. But computer engineers widely agree we’re heading in that direction by connecting our cars to the Internet.
The report was put together by the senator’s staff with the help of well-known computer security researchers. It found “an alarmingly inconsistent and incomplete state of industry security and privacy practices” by all of the world’s largest car makers.
Every major car manufacturer — from Ford and General Motors to Nissan and Volvo — was subject to inquiries from the Massachusetts senator. The only ones that didn’t respond were Aston Martin, Lamborghini and — perhaps surprisingly, given how vocal it is on these issues — Tesla.
The report builds on the idea that your car is a giant computer and can be hacked. Last year, CNNMoney explored how car makers are rushing to expose your car to outside connections (via cell phone networks, WiFi, Bluetooth) even though the inside of your car remains dumb and vulnerable.
It’s a chasm that could have disastrous consequences.
The safety problem
Cars are now connected to the Internet. That means someday in the not-too-distant future, a hacker could knock your car off the highway.
Senator Markey’s staff found that 100% of modern cars have wireless technology baked in — establishing a new potential avenue for gaining access to your car. Meanwhile, the way automakers are protecting these access points is insufficient and “haphazard,” the report says.
For example, some automakers use encryption to protect how devices inside your car talk to each other (like your brake pedal and the actual brakes). Others don’t do that.
Sometimes, car makers use a practice called “whitelisting.” That means the tire pressure sensor can only talk to the dashboard — but not the radio. But not all automakers do that either.
And even when they do these things, it’s more about making sure the devices work than protecting you from outside hackers, according to the senator’s report.
The secrecy surrounding this topic doesn’t help either. Chrysler, Mazda and Mercedes-Benz wouldn’t even answer questions about how they secure their vehicles. Only Hyundai and Toyota provided “detailed, question-by-question responses,” the report said.
However, Ford, Tesla and Toyota have previously told CNNMoney that they have teams of hackers who probe their cars for weaknesses.
The privacy problem
In many ways, the modern car is a smartphone. Your behavior and movements are tracked and recorded.
The inside of your car just isn’t the personal haven it used to be. In fact, this report shows that at least five car makers track your physical location “at regular intervals,” your car’s speed and fuel, and the exact details of how you steer, hit the brakes, and use your seat belt.
Sure, it helps if a car maker can warn you about potential problems. But the data collection and sharing goes further than that.
The senator’s staff found that 50% of car makers collect and transmit driving history to computer servers somewhere. And auto companies assert a right to share your information with marketers.
The report found that only two car makers let drivers disable data collection. Five companies let you delete data right from your dashboard. And just two automakers say they don’t share your personally identifiable information.
In their defense, the auto industry recently agreed to general “consumer choice” principles that say customers must “opt in” for this kind of tracking.
But as the senator’s report points out, this isn’t enough. If you don’t agree to GPS tracking, the car maker could block you from using navigation.
Senator Markey is now calling for federal regulators at the National Highway Traffic Safety Administration and the Federal Trade Commission to step in with clear-cut privacy and safety standards.