Unsafe at Any Speed

In the 1960’s Ralph Nader became famous by writing an expose’ of the Corvair, a rear-engined Chevy built by General Motors.

He called it “Unsafe at Any Speed: The Designed-In Dangers of the American Automobile “[1][2].  He accused car makers of ignoring safety, resisting providing seat belts and other design issues that contributed to injuries in accidents.

In 1966 the U.S. Congress passed the Highway Safety Act (aka National Traffic and Motor Vehicle Safety Act), which created mandatory federal safety standards for motor vehicles and established what is now the National Highway Traffic Safety Administration.

This week, the U.S. Senate Commerce Committee held a hearing on the “Internet of Things”.

Among others, the vulnerability of today’s cars with their interconnected computerized control systems to hacking was highlighted. Senators Markey (D-Mass) and Blumenthal (D-Conn) announced they plan to introduce legislation that would direct the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish federal standards “to secure cars and protect drivers’ privacy”.

Markey also announced the release of a staff report “Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk”[3].

Studies have shown how hackers can get into the controls of some popular vehicles, causing them to suddenly accelerate, turn, kill the brakes, activate the horn, control the headlights, and modify the speedometer and gas gauge readings.[4]

Senator Markey sent letters in 2014 to the major automobile manufacturers requesting information on how prevalent these technologies are, what is being done to secure them against hacking attacks, and how personal driving information is managed.[5]

Markey’s report discusses the responses to his letter from 16 major automobile manufacturers: BMW, Chrysler, Ford, General Motors, Honda, Hyundai, Jaguar Land Rover, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Toyota, Volkswagen (with Audi), and Volvo. Letters were also sent to Aston Martin, Lamborghini, and Tesla, but those manufacturers did not respond.

The report notes that new technologies in cars have enabled valuable features that have the potential to improve driver safety and vehicle performance and vehicles are becoming more connected through electronic systems like navigation, infotainment, and safety monitoring tools.

The proliferation of these technologies raises concerns about the ability of hackers to gain access and control to the essential functions and features of those cars. It also raises privacy issues over the ability of third parties to utilize information on drivers’ habits for commercial purposes without the drivers’ knowledge or consent.

It also notes that today’s cars and light trucks typically contain more than 50 separate electronic control units (ECUs), connected through a controller area network (CAN) or other networks (such as Local Interconnect Networks or FlexRay).

Vehicle functionality, safety, and privacy all depend on the functions of these small computers, as well as their ability to communicate with one another. Cars also have the ability to record vehicle data to analyze and improve performance.

Additionally, onboard navigation technologies and the ability to integrate mobile devices with vehicle-based technologies have fundamentally altered the manner in which drivers and the vehicles can interact during the vehicles’ operation.

This information technology has resulted in an increased ability to gather driving information.

Such information-gathering abilities can be used by the automobile manufacturer to provide customized service and improve customer experiences, but in the wrong hands, such information could also be used maliciously. In particular, wireless technologies create vulnerabilities to hacking attacks that could be used to invade a user’s privacy or modify the operation of a vehicle.

Two recent developments highlight potential threats to both automobile security and to consumer privacy.

The report’s key findings were summarized:

1. Nearly 100% of cars on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.
2. Most automobile manufacturers were unaware of or unable to report on past hacking incidents.
3. Security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across all automobile manufacturers, and many manufacturers did not seem to understand the questions posed by Senator Markey.
4. Only two automobile manufacturers were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real-time, and most say they rely on technologies that cannot be used for this purpose at all.
5. Automobile manufacturers collect large amounts of data on driving history and vehicle performance.
6. A majority of automakers offer technologies that collect and wirelessly transmit driving history data to data centers, including third-party data centers, and most do not describe effective means to secure the data.
7. Manufacturers use personal vehicle data in various ways, often vaguely to “improve the customer experience” and usually involving third parties, and retention policies – how long they store information about drivers – vary considerably among manufacturers.
8. Customers are often not explicitly made aware of data collection and, when they are, they often cannot opt out without disabling valuable features, such as navigation.

The report concludes “These findings reveal that there is a clear lack appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle or against those who may wish to collect and use personal driver information”.

Two major coalitions of automobile manufacturers recently issued a voluntary set of privacy principles. These principles are designed to demonstrate they are committed to protecting consumer privacy by ensuring transparency and choice, responsible use and security of data, and accountability.

Since the impact of these principles depends in part on how the manufacturers interpret them, in terms of consumer awareness, data collection disclosure, and data use security and accountability; and the inconsistent and incomplete state of security and privacy practices in the industry, the report calls for development of new standards that will “protect the data, security, and privacy of drivers in the modern age of increasingly connected vehicles”.

The National Highway Traffic Safety Administration (NHTSA), in consultation with the Federal Trade Commission (FTC) on privacy issues, would be designated to promulgate these standards.

The proposed legislation according to Markey will address these security and privacy concerns[6]:

Security

• Requirement that all wireless access points in the car are protected against hacking attacks, evaluated using penetration testing;
• Requirement that all collected information is appropriately secured and encrypted to prevent unwanted access; and;
• Requirement that the manufacturer or third-party feature provider be able to detect, report and respond to real-time hacking events.

Privacy

• Transparency requirement that drivers are made explicitly aware of data collection, transmission, and use of driving information;
• Consumers can choose whether data is collected without having to disable navigation; and
• Prohibition on the use of personal driving information for advertising or marketing purposes.

The legislation will also call for new cars to be evaluated by a rating system—a “cyber dashboard”—that informs consumers about how well the vehicle protects drivers beyond those minimum standards.

This information will be displayed on the label of all new vehicles.

1. http://en.wikipedia.org/wiki/Unsafe_at_Any_Speed
2. http://en.wikipedia.org/wiki/Ralph_Nader
3. http://www.markey.senate.gov/imo/media/doc/2015-02-06_MarkeyReport-Tracking_Hacking_CarSecurity%202.pdf
4. Report titled “The Scary Truth of How Terrorists Could Crash Your Car,” published by AOL Autos about threats posed by the prevalence of software in automobiles.
5. http://www.markey.senate.gov/news/press-releases/as-wireless-technology-becomes-standard-markey-queries-carcompanies-about-security-privacy
6. http://www.markey.senate.gov/news/press-releases/markey-blumenthal-to-introduce-legislation-to-protect-drivers-from-auto-security-and-privacy-vulnerabilities-with-standards-and-cyber-dashboard