A US senator has published a report on connected car security, with an unambiguous conclusion: manufacturers seem insufficiently aware of the risk that hackers are potentially able to appropriate personal data or even take over control of a vehicle.

Connected cars: manufacturers unaware of hacking risks?

Now that Apple technology has begun to make its mark in the connected car sector, Massachusetts senator Edward J. Markey and his team have published a report entitled ‘Tracking and Hacking: Security & Privacy Gaps Put American Drivers at Risk’, which looks into the security aspects of digitally-controlled, connected vehicles. Democrat senator Markey is an expert on environmental and data protection issues. He received replies to his questionnaire from sixteen major automobile manufacturers, including BMW, Nissan and Ford. Companies that chose not to reply to the senator’s questions include Tesla, a leading firm in this sector, which illustrates just how sensitive a topic this is. Respondents’ feedback clearly show that many auto-manufacturers have very little idea of the potential threat if hackers manage to gain control of the essential functions and features of a connected car. “Automobile manufacturers are new to software and they lack experience in dealing with malware and hacking,” cyber-attack specialist Eugene Kraspersky pointed out to US business magazine Forbes recently. Auto-manufacturers are nowadays able to gather huge amounts of data –journey times and patterns, driving speeds and even seat belt usage – which might be seen as rather sensitive information for a driver to reveal.

Data only partially - or not at all - protected

"Airbags and seat belts protect the safety of drivers, but we also need car companies to ensure the security and privacy of those in automobiles in this new wireless age," stressed Senator Markey, in the letter he sent out to carmakers in 2013. The report based on the answers to his questionnaire argues that auto-manufacturers are simply not doing enough to protect information from potential hacking or leakage. In most cases, data is not stored on board the vehicle, but transferred to data centres, which are sometimes managed by third parties. Moreover, auto-makers admit that they have not installed any means of protection for information which is stored in the car’s onboard system. Only six of the respondents answered the question as to what action they were taking when the data is transferred to a data centre. These respondents mentioned transfer of ‘encrypted data’ and passwords but gave no exact details.

Wireless hazard : hacker-controlled vehicles

Back in 2013, a report entitled ‘Adventures in Automotive Networks and Control Units’ had already pointed to some of the risks arising from connected cars. Computer security researcher Charlie Miller and vehicle security researcher Chris Valasek were then working for the US Defense Advanced Research Projects Agency (DARPA). They told how they had succeeded in hacking into several models of connected car using only a computer and a cable and demonstrated how they were able to sound the car horn, turn on the lights, alter the display of various gauges on the car and even – more ominously – control the vehicle’s acceleration and turn the wheels. This procedure could also be carried out in wireless mode using a Bluetooth connection, an infected application or CD malware, explained the two researchers. Nevertheless, when Ed Markey questioned the auto-manufacturers on this point some did not appear to understand the questions, some did not reply, while others gave rather vague information, referring for example to ‘encryption systems’. Even more surprising was the fact that only two auto-makers said they were able to detect a cyber-attack in real time. US networking equipment designer and producer Cisco recently set out to tackle this need. However, all in all, it now seems high time for connected vehicle manufacturers to focus hard on this issue if they wish to avoid real attacks that would seriously damage their customer relations.

By Guillaume Scifo