US senator raises red flag over cyber security in cars
Vehicles’ internal networks ‘largely unprotected’, could lead to wireless unlocking of doors
A US senator who questioned 20 car makers about the security of wireless access in their vehicles has raised concerns about "largely unprotected" systems, The Register reported.
Senator Ed Markey (D-MA) received responses from 17 of the 20 companies he contacted, with only Tesla, Aston Martin, and Lamborghini failing to reply. All 17 (BMW, Chrysler, Ford, General Motors, Honda, Hyundai, Jaguar Land Rover, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Toyota, Volkswagen with Audi, and Volvo) integrated considerable data-driven tech in their 2014 models, with a number of respondents installing as many as 50 electronic control units (ECUs), which communicated over internal networks.
The Register suggests that, while the CAN (controller area network) bus, which presides over critical systems such as engines, steering wheels and brakes, is relatively isolated, lack of encryption and firewall provisions in other systems mean it is theoretically possible to, for example, open doors wirelessly.
Weak security could also allow malicious third-parties to install malware to monitor where the vehicle has been and how fast it was travelling.
"Drivers have come to rely on these new technologies, but unfortunately the automakers haven't done their part to protect us from cyber-attacks or privacy invasions," said Markey, a member of the Senate's Commerce, Science and Transportation Committee.
"Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected. We need to work with the industry and cyber-security experts to establish clear rules of the road to ensure the safety and privacy of 21st-century American drivers."
Continues on next page>>
According to Markey's findings, over 90% of 2014 models used wireless technology to some degree, whether it was connectivity to allow quick mechanical diagnostics in service centres or Bluetooth hook-ups for smartphones. Only six of Markey's respondents had any kind of security software running in vehicles and just five locked down wireless access points with passwords, encryption or proximity sensors designed to restrict wireless access to in-car devices. In addition, Markey's report said only two companies made vehicles that alert their manufacturers in real time to cyber-attacks; others require manual checking at a service centre.
Cyber security specialists consulted by Markey pointed out that, even where firewalls exist, they tended to check packet source but not content.
All of the respondents' 2014 models collect data on drivers, with 25% storing it within the vehicle and 50% sending it to the manufacturer's on-premise databases, where it is kept for up to 10 years in one case. Among the respondents, only two manufacturers had limited procedures available for drivers to opt out of data collection and one firm told Markey it believed customers should not be informed about the information gathering.
While Markey's report berates the lack of security presently integrated by manufacturers, a solution to vehicle-network security was presented at the Black Hat conference in August by dedicated car hacker Charlie Miller. His Can-no hackalator 3000 can reportedly be assembled from spare parts and serves as an intrusion detection system (IDS) for automobiles.
"IDS sucks in computers, but it turns out they work for cars because cars are simple," said Miller at Black Hat.