Cyber attacks on so-called “connected vehicles” are still in the proof of concept stage. But those proofs of concept are close enough to the real thing to prompt an inquiry from U.S. Senator Ed Markey, who sent a letter to 20 major auto manufacturers asking for information about consumer privacy protections and safeguards against cyber attacks in their vehicles.
Markey’s letter, dated December 2, cites recent reports of “commands…sent through a car’s computer system that could cause it to suddenly accelerate, turn or kill the breaks,” and references research conducted by Charlie Miller and Chris Valasek on Toyota Prius and Ford Escape. That research was presented in an August demonstration at the DEFCON hacking conference in Las Vegas.
“Today’s cars and light trucks contain more than 50 separate electronic control units (ECUs), connected through a controller area network (CAN)…Vehicle functionality, safety and privacy all depend on the functions of these small computers, as well as their ability to communicate with one another,” Markey wrote.
Beyond the threat posed by wireless and direct hacking of on-board electronics, Markey cited potential privacy issues surrounding late model vehicles.
“A second, related area of concern to me relates to the increasing use of navigation or other technologies that could be used to record the location or driving history of those using them,” he wrote.
“As vehicles become more integrated with wireless technology, there are more avenues through which a hacker could introduce malicious code, and more avenues through which a driver’s basic right to privacy could be compromised,” Markey wrote. “New services could enable the collection of large amounts of driver data, including geolocation. It is possible that this data could be used for commercial or law enforcement purposes without consumers’ knowledge or consent.”Indeed, research has show that on board sensors that are used to monitor driving behavior can also be used to determine where a car was driven, given knowledge of the starting point.
The letter was sent to leading U.S. automakers Ford, General Motors, Chrysler and Tesla. A copy was also sent to the North American subsidiaries of top foreign car makers, including Subaru, Nissan, BMW, Porsche and Mercedes-Benz, among others. The threats to automobiles demonstrate “the need for robust vehicle security policies” to ensure driver safety and privacy.
Among the questions Markey wants answers to:
- What percentage of cars sold in model years 2013 and 2014 do not have any wireless entry points?
- What are automakers’ methods for testing for vulnerabilities in technologies it deploys – including third pressure technologies. Markey asks specifically about tire pressure monitors, bluetooth and other wireless technologies and GPS (like Onstar)?
- What third party penetration testing is conducted on vehicles (and any results)?
- What intrusion detection features exist for critical components like controller area network (CAN) busses on connected vehicles?
Senator Markey’s office did not respond to a request for comment by The Security Ledger. A member of the Commerce, Science and Transportation Committee, Markey is the junior senator from Massachusetts – an office to which he ascended after winning a special election in June to replace Sen. John Kerry, who left office to become President Obama’s Secretary of State.
A long-time Representative from Massachusetts, Markey has been an longtime supporter of strong consumer privacy protections in areas like mobile phones and Internet commerce. He said he believes the threats point to a need for robust vehicle security policies to ensure the safety and privacy of our nation’s drivers.
“Airbags and seat belts protect the safety of drivers, but we also need car companies to ensure the security and privacy of those in automobiles in this new wireless age,” said Senator Markey.