Senator Markey: Our connected cars are insecure and leaking data

As our cars gain more means to reach and connect to our smartphones, the cloud and the internet, they’re also creating more pathways to infiltrate our cars’ data and possibly providing a way for hackers to take control of our vehicles, according to a new report compiled by U.S. Senator Ed Markey (D-Mass.).

Markey, a member of the Senate Commerce, Science and Transportation Committee, sent letters to 19 automakers asking about the vulnerabilities of their vehicles to hackers, the security measures in place to protect customers from attacks and the data the automakers themselves collected through these connectivity channels. All of the major automakers responded (the three that didn’t were [company]Lamborghini[/company], [company]Aston Martin[/company] and – oddly enough – [company]Tesla[/company]), but Markey wasn’t exactly consoled by the responses.

U.S. Senator Ed Markey

U.S. Senator Ed Markey

All automakers told Markey’s office that they produced cars with some form of wireless connectivity, whether Bluetooth, Wi-Fi or a direct cellular link. But when questioned about if and how these “wireless points of entry” were being exploited by hackers and what protections were in place against such exploits, their responses were all over the map.

Several automakers just ignored some of the questions. Most of those who did respond said they unaware of or didn’t have data on any hacking attempts on their vehicles (though one automaker described non-malicious attempts by car owners trying to reprogram their own engines). As for preventative measures, only half of the companies provided specific examples of security technologies and testing, and only two responded that they had the means to identify and react to an intrusion in any meaningful way in real-time.

One manufacturer said it could remotely put the car in a “fail-safe” mode that limited how it could be operated, while another said it could remotely slow the car down and immobilize a compromised vehicle. I would take a look at the report for yourself if you get a chance. While Markey didn’t call out specific automakers responses, he clearly identifies the companies that didn’t respond to specific questions.

Markey car report

Markey’s staff also found that there was another way for hackers to get data from a car without getting anywhere near your vehicle’s radios: the cloud. While many car manufacturers collect vast amounts of information through their telematics services, that data is often collected by partners and stored in third-party data centers, but hardly any of them detailed how that data was secured.

We’re still in the early days of the connected car, so the public isn’t exactly clamoring over hacked vehicles today. That could explain many of the automakers responses: they may not have data on car computer attacks because they are either exceedingly rare or non-existent. But as Markey’s report makes abundantly clear, that doesn’t mean a hack won’t occur, and if it does the consequences could be catastrophic. This isn’t just your computer going haywire or your identity getting stolen. If a hacker gets into your drive computer, he can gain control over your vehicle, even if you’re in it.

Automakers make a point of saying that they keep the various networks of their cars separate for this very reason: The network that remotely unlocks your doors or blares the Beyonce from your iPhone through your cars’ speakers isn’t the same network that controls the engine. But white hat hackers have demonstrated that cars control systems are far more vulnerable than automakers claim. They’ve been able to control braking and acceleration by plugging a laptop into the same on board diagnostic port under your steering wheel. That’s the same network bus telematics services and infotainment systems are tapping with wireless connections.