Automakers use personal-vehicle data in ways unbeknownst to drivers, says senator's report As vehicle manufacturers rush to adopt mobile-friendly platforms and wireless technologies, they’ve neglected to plug security and privacy gaps, a new report revealed.Released today by U.S. Sen. Edward Markey (D-Mass.), the report is based on responses from 16 major automakers to questions from the lawmaker around security vulnerabilities and how driver information is collected and protected.The report, Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk, indicates the U.S. paints a picture of a U.S. vehicle fleet that has fully adopted wireless technologies like Bluetooth and even wireless Internet access, but has not addressed the real possibilities of hacker infiltration into vehicle systems. Additionally, there is widespread collection of driver and vehicle information without privacy protections for how that information is shared and used.The first part of the report focuses on how modern technologies give hackers windows of opportunity. “Nearly 100% of vehicles on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions,” the report states.Most automobile manufacturers, the report says, were unaware of or unable to report on past hacking incidents. Markey posed his questions after studies showed how hackers can get into the controls of some popular vehicles, causing them to suddenly accelerate, turn, kill the brakes, activate the horn, control the headlights, and modify the speedometer and gas gauge readings.With the rise of navigation and other features that record and send location or driving history information, Markey said he wanted to know what auto manufacturers are doing to address these issues and protect drivers. Sen. Edward Markey Nearly all of today’s vehicles can record driving history.To date, any security measures that have been taken by automakers to prevent remote access to vehicle electronics “are inconsistent and haphazard across the different manufacturers,” the report said.Only two automobile manufacturers were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real time, and most said they rely on technologies that cannot be used for this purpose at all, the report said.“Drivers have come to rely on these new technologies, but unfortunately the automakers haven’t done their part to protect us from cyber-attacks or privacy invasions. Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected,” Markey, a member of the Senate Commerce, Science and Transportation Committee, said in a statement. “We need to work with the industry and cyber-security experts to establish clear rules of the road to ensure the safety and privacy of 21st-century American drivers.”The report also delves into privacy and how features like navigation are quietly recording and sending out vehicle driving history. Most automakers use technology that collects and wirelessly transmits driving history information to data centers, including third-party data centers, “and most did not describe effective means to secure the information,” the report states.Manufacturers use personal vehicle data in various ways, the report states, often with vague terms, such as to “improve the customer experience,” and usually involving third parties. Retention policies on how long information about drivers is stored vary considerably among manufacturers.Car owners are often not explicitly made aware of data collection and, when they are, they often cannot opt out without disabling valuable features, such as navigation.“Consumers don’t know with whom that data is being shared,” said Nate Cardozo, an attorney with the Electronic Frontier Foundation. “Take Ford Sync, for example. In its terms of service, it says it’s collecting location data and call data if you use Sync to dictate emails.” Location data about drivers is continually sent to manufacturers, which allows navigation systems to update users on traffic and weather conditions and offer other services such as remote payment for parking.Dominique Bonte, a director at ABI Research, said drivers should have to opt in before car companies can share data with outside parties. Bonte pointed to GM as an example of why an opt-out model isn’t good enough.In 2011, GM’s OnStar in-vehicle communications service began collecting data on users without permission. The strategy was designed to improve the OnStar service, but GM also shared that data with third-party suppliers.“They failed to observe the most essential rule in privacy. They were forced to stop using the data,” Bonte said.Last November, the world’s 19 biggest automakers agreed to principles they said will protect driver privacy in an electronic age where in-vehicle computers collect everything from location and speed to what smartphone the driver uses.A 19-page letter committing to the principles was submitted to the Federal Trade Commission from the industry’s two largest trade associations, the Alliance of Automobile Manufacturers (AAM) and the Association of Global Automakers (AGA).The AAM represents Detroit’s Big Three automakers — Ford, GM and Chrysler — along with Toyota, Volkswagen AG and others. The AGA also represents Toyota, along with Honda Motor Co., Nissan Motor Co. and Hyundai Motor Co., among others.Markey stated that the principles are an important first step, but they fall short in a number of key areas by not offering explicit assurances around choice and transparency.The report’s findings are based on responses from BMW, Chrysler, Ford, General Motors, Honda, Hyundai, Jaguar Land Rover, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Toyota, Volkswagen (with Audi), and Volvo. Letters were also sent to Aston Martin, Lamborghini, and Tesla, which did not respond. Related content news Is China waging a cyber war with Taiwan? Nation-state hacking groups based in China have sharply ramped up cyberattacks against Taiwan this year, according to multiple reports. By Gagandeep Kaur Dec 01, 2023 4 mins Cyberattacks Government Government news Apple patches info-stealing, zero day bugs in iPads and Macs The vulnerabilities that can allow the leaking of sensitive information and enable arbitrary code execution have had exploitations in the wild. By Shweta Sharma Dec 01, 2023 3 mins Zero-day vulnerability Vulnerabilities Security feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff Dec 01, 2023 6 mins Technology Industry IT Skills Events news Conti-linked ransomware takes in $107 million in ransoms: Report A ransomware campaign linked to the ostensibly defunct Conti malware group has targeted mostly US businesses, in a costly series of attacks. By Jon Gold Nov 30, 2023 4 mins Ransomware Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe