Report finds 'inconsistent and haphazard' data security in connected cars

Despite carrier, automaker and consumer enthusiasm for cars with wireless connectivity, most connected cars are vulnerable to hacking attacks and car makers are not protecting consumer data well enough, according to a report released by a U.S. senator.

The report, from Sen. Edward Markey (D-Mass.), concludes that "security measures to prevent remote access to vehicle electronics are inconsistent and haphazard" across all car makers and many do not seem to be aware of the risks. The report comes as wireless carriers are pushing more heavily into the connected car arena as they seek to find new revenue streams amid a maturing smartphone market.

"Drivers have come to rely on these new technologies, but unfortunately the automakers haven't done their part to protect us from cyber-attacks or privacy invasions," Markey said in a statement. "Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected."

Some of the report's findings show that most car makers "were unaware of or unable to report on past hacking incidents," and that just two car makers "were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real-time, and most say they rely on technologies that cannot be used for this purpose at all."

Further, the report found that a majority of automakers "offer technologies that collect and wirelessly transmit driving history data to data centers, including third-party data centers, and most do not describe effective means to secure the data." Car makers use personal vehicle data in various ways and how long they store that information varies a great deal by automaker. Additionally, the report found that "customers are often not explicitly made aware of data collection and, when they are, they often cannot opt out without disabling valuable features, such as navigation."

The report's findings are based on responses from BMW, Fiat Chrysler, Ford, General Motors, Honda, Hyundai, Jaguar Land Rover, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Toyota, Volkswagen and Volvo. Aston Martin, Lamborghini and Tesla did not respond to requests for information from Markey.

In November, two auto industry trade groups, the Alliance of Automobile Manufacturers and the Association of Global Automakers, sought to address the concerns Markey highlighted by publishing a set of voluntary privacy principles aimed at limiting the use of vehicle data for marketing purposes. The principles say automakers should collect information "only as needed for legitimate business purposes."

Markey's report says that while the principles "send a meaningful message" that car makers should care about protecting consumer data in connected cars, it's largely up to automakers to determine the level of transparency as well as guidelines for data use, security and accountability.

Wade Newton, a spokesman for the Alliance of Automobile Manufacturers--which represents Ford, GM, Chrysler, Toyota, Volkswagen and others--told the Detroit News he had not seen Markey's report. But he said automakers believe strong consumer data privacy protections and strong vehicle security are critical.

"Auto engineers incorporate security solutions into vehicles from the very first stages of design and production--and security testing never stops," he said. "The industry is in the early stages of establishing a voluntary automobile industry sector information sharing and analysis center--or other comparable program--for collecting and sharing information about existing or potential cyber-related threats."

For more:
- see this release
- see this Markey report (PDF)
- see this NYT article
- see this Detroit News article
- see this Washington Post article 
- see this ZDNet article

Related Articles:
'Verizon Vehicle' is after-market connected car service for 200M unconnected cars at $15/month
GM: We're open to Apple, Google and other connected car services
GM launches new OnStar service that can deliver promotions to connected cars
Report: Google wants to build Android Auto directly into cars
Ford dumps Microsoft for BlackBerry's QNX in Sync in-car platform

Suggested Articles

AT&T, Sprint, T-Mobile and Verizon are among major telecom companies that signed a pledge with AGs from every state, promising to fight robocalls.

Ericsson and Nokia have each shuffled up their leadership teams, separately announcing new appointments Thursday.

T-Mobile customers across the country couldn’t make calls or send text messages for about four hours yesterday, confirms the carrier.