Cars Hacked

Report Sees Weak Security in Cars’ Wireless Systems


WASHINGTON — Serious gaps in security and customer privacy affect nearly every vehicle that uses wireless technology, according to a report set to be released on Monday by a senator’s office.

The report concludes that security measures to prevent hackers from gaining control of a vehicle’s electronics are “inconsistent and haphazard,” and that the majority of automakers do not have systems that can detect breaches or quickly respond to them.

“Drivers have come to rely on these new technologies, but unfortunately the automakers haven’t done their part to protect us from cyberattacks or privacy invasions,” said the senator, Edward J. Markey, Democrat of Massachusetts, whose office published the report after obtaining detailed information from 16 automakers.

In addition to finding “a clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle” or hackers who wish to “collect and use personal driver information,” the report expressed concerns over how automakers track drivers’ behavior and collect, transmit and store that information.

The report found that large amounts of data on driving histories are harvested, frequently without consumers being explicitly aware that the information is being collected or how it will be used. At least nine automakers use third-party companies to collect vehicle data, which can make consumers even more vulnerable, and some transmit that data to third-party data centers too.

“This reveals that a majority of vehicle manufacturers offer features that not only record but also transmit driving history wirelessly to themselves or to third parties,” the report said.

The information collected includes where drivers have been, like physical location recorded at regular intervals, the last location they were parked, distances and times traveled, and previous destinations entered into navigation systems. A host of diagnostic data on the car is also captured.

The findings in the report are based on information received from BMW, Fiat Chrysler, Ford, General Motors, Honda, Hyundai, Jaguar Land Rover, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Toyota, Volkswagen and Volvo. Aston Martin, Lamborghini and Tesla did not respond to the requests.

Technological innovations for vehicles are expanding rapidly: Safety features powered by radars, lasers and cameras are available in some vehicles and coming to more, and vehicle-to-vehicle communication — in which cars can share information — is expected to be available in the near future.

At the same time, connecting cars to the Internet means that more vehicles have smartphone like interfaces that allow for new possibilities, but also carry inherent risks.

In November, two auto industry trade groups — the Alliance of Automobile Manufacturers and the Association of Global Automakers — tried to address consumer concerns by publishing a set of voluntary privacy principles aimed at limiting the use of vehicle data for marketing purposes. The principles called on automakers to collect information “only as needed for legitimate business purposes.”

The report says the phrase “legitimate business purposes” is vague enough to allow for all kinds of collection, and asserts that clear federal rules should be established for what are permissible and appropriate uses of drivers’ data.

Ford and Toyota declined to comment on the report. Fiat Chrysler and General Motors referred questions to the Alliance of Automobile Manufacturers.

Wade Newton, a spokesman for the trade group, said “automakers believe that strong consumer data privacy protections and strong vehicle security are essential to maintaining the continued trust of our customers” and cited the November principles as a way that the industry was taking proactive steps.

“Auto engineers incorporate security solutions into vehicles from the very first stages of design and production — and security testing never stops,” he said.

Auto companies post privacy policies in their owner’s manuals and on corporate websites, he said, and they “pledge to provide heightened protections to the most sensitive types of consumer information — protections that go beyond similar principles in other industry sectors.”

A version of this article appears in print on February 9, 2015, on page B4 of the New York edition with the headline: Report Sees Weak Security in Cars’ Wireless Systems. Order Reprints| Today’s Paper|Subscribe

Copyright & Trademark The Town Tattle™