Smart cars are savvy, technologically advanced, and computerized devices connected to navigation and entertainment systems, but they also record personal data and have the potential to be hacked. Who owns that information, how it is shared, and how manufacturers can protect against hacking remains unregulated, which is why Sen. Edward Markey (D-Mass.) wants drivers protected.
Last month, Sen. Markey a member of the Commerce, Science and Transportation Committee released the report, Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk, in which he argues that, “the automakers haven’t done their part to protect us from cyber-attacks or privacy invasions.” A firestorm of new segments from, “60 Minutes” to “CBS This Morning” cautioned “nearly all new cars on the road are vulnerable to hacking.” The question remains, are smart cars putting sensitive data at risk?
If a hacker is able to break into the computer system of a particular car, it is possible to virtually govern the car. Scott Morrison, distinguished engineer at CA Technologies agreed, “If you lose control of the car or car features to someone else over the internet, it is a safety issue.”
Joshua Corman Co-Founder of www.iamthecavalry.org contended that the physical risks are a growing concern in automobile security. “I love my privacy, I’d like to be alive to enjoy it,” he said. Recognizing the real potential for physical harm is paramount to Corman, whose 5 star automotive cyber safety framework asks auto industries, among other questions, “Do you have a published attestation of your Secure Software Development Lifecycle, summarizing your design, development, and adversarial resilience testing programs for your products and your supply chain?”
Scott Morrison, distinguished engineer at CA Technologies
Chris Valasek, director of Vehicle Research Security at IO Active said, “The question I like to ask is, ‘Are you afraid of being assassinated now?’ If the answer is no, physical harm from an auto attack is very unlikely.” Access to personal data is common, but access to the car’s electronic control units (ECU) is far less likely. According to Valasek. “The barrier of entry is really high” because the collecting and sharing of information “doesn’t work universally.”
However, Corman argued that the claim that hacking is expensive is too dismissive. “Most security concerns have been about credit cards and financial adversaries,” said Corman, “but I like to remind people that we are now exposed to the whole spectrum of human capabilities. It’s not an ‘if’ it’s a ‘when’ one should expect a failure. All computers get compromised.” Cars can be hacked, but “All cars are different,” Valasek said, “Ford has a different message than BMW.” Hacking into a car’s computer system is very difficult and very costly, which is in part why there isn’t a lot of hard evidence on the physical risks to consumers.
Corman disagreed referencing an investigative report in which auto hacker Craig Smith used a dongle to allow a hacker in New York to hack into a car 3,000 miles away in Seattle. Though Corman agreed that physical safety isn’t an imminent threat, he said, “I’d like to rely more on ‘they can’t’ [hack into my car]. I don’t want to rely on a hope that they won’t.”
While the use of technology in smart cars affords consumers a variety of conveniences and luxuries, “many don’t understand what the implications [to their privacy] are,” Markey contended. In his report, Markey identifies several concerns beyond physical safety.
Scott Morrison agreed that “the car is a powerful data collection point and its connectivity may link it to even more sensitive data than your location, how you drive and what you listen to on the radio.” Data is collected in smart cars and is being kept by the automotive industry and can be shared with third parties.