The growing integration of wireless technologies in automobiles has prompted some well-publicized fears about hackers taking control of cars to disable brakes and to take over navigation, steering, acceleration, tire pressure and other systems in a vehicle.
That prompted Sen. Edward Markey (D-MA) this week to ask what automakers are doing to protect vehicles from wireless hacking threats and privacy intrusions.
In a letter (download PDF) to CEOs of 20 of the world's largest automakers, Markey asked a series of detailed technical questions about the vulnerability of vehicles to wireless security and privacy threats. Among the companies asked to respond are Ford, Toyota, Volvo, BMW, Chrysler, Mercedes and Nissan.
The letter pointed to a recent study by the Defense Advanced Research Projects Agency (DARPA) in which two researchers demonstrated how they could take control of a vehicle through the controller area network (CAN) used by devices in a car to communicate with each other.
The study, conducted by security researchers Charlie Miller and Chris Valasek, showed how attackers could send different commands to the electronic control units in a car and cause it to brake or accelerate suddenly or jerk its steering wheel in different directions.
In that study, the researchers needed physical access to the CAN bus to carry out the attack. However, previous research has shown that similar attacks can be carried out wirelessly by accessing the CAN bus through Bluetooth connections, compromised Android smartphones, vehicle tracking and navigation systems like OnStar and compromised files on music CDs, Markey noted in his letter.
Stuart McClure, CEO of Cylance, which performs security assessments for several companies -- including automakers -- said the auto industry is a prime target for hacking and disruption. "Many in the industry try desperately to stay ahead of the bad guys, but unfortunately, few guidelines and little oversight produce farm fresh opportunities for the bad guys," he said.
Few controls exist to prevent hackers from breaking into automobiles wirelessly and taking control of systems, McClure said. But because hackers are unlikely to gain much by breaking into individual automobiles, he said they're unlikely to spend much time hacking vehicles. The only scenario where such a threat would be likely is if someone wanted to carry out a targeted attack against a specific individual.
In addition to security fears, there are privacy concerns related to the use of navigation systems and technologies that gather vehicle performance information, Markey said in his letter.
As an example, he pointed to an OnStar proposal to sell vehicle and driver information such as location, seat-belt use, airbag deployment, speed and other data to third parties. Markey's letter also highlighted an incident in which Tesla Motors allegedly collected data about a reporter's driving habits during a test drive to rebut a negative review of the vehicle by the reporter.
"As vehicles become more integrated with wireless technologies, there are more avenues through which a hacker could introduce malicious code, and more avenues through which a driver's basic right to privacy could be compromised," he said.
Markey wants automakers to provide details on the tests used to identify vulnerabilities in all the wireless entry points to their vehicles and whether they conducted security assessments on their own or farmed the task out to third parties.
The surprisingly detailed letter asked the automakers to provide information on any instances in the past five years where they learned of vulnerabilities in a wireless entry point to their vehicles, how they responded to the information and whether the issue was reported to authorities. Markey also asked about the data collected by the automakers via navigation and performance reporting systems and how that information was shared and used by the companies.
Automakers have until Jan. 4 to respond.
Wade Newton, communications director at Auto Alliance, an industry trade group comprised of Ford, General Motors, Chrysler, Mercedes-Benz, Toyota, Volvo and six other automakers downplayed the concerns.
"Automakers take cybersecurity extremely seriously," Newton said in an emailed statement,. "As cars and other forms of transportation increasingly incorporate in-vehicle computer systems to help with everything from safety to navigation, cybersecurity is among the industry's top priorities and the auto industry is working continuously to enhance vehicle security features."
Newton noted that computer technology has made possible dramatic safety improvements in areas like airbag deployment and vehicle stability and theft-prevention. In addition, organizations such as the International Society of Automotive Engineers are working on projects to evaluate security challenges and technology for addressing them, he said.
The automobile industry is also studying best practices in areas such as patch management, intrusion detection and prevention and cloud security from airlines, railway and other industries, he said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.