US Senator Markey is critical of connected-car data security and privacy (Picture: Continental)

A US report published this week shows how connected cars may be vulnerable to hackers.The paper, based on answers to questions by 16 major car manufacturers, highlights growing concerns that networking cars with the world around them poses potential security risks.

"The responses from the automobile manufacturers show a vehicle fleet that has fully adopted wireless technologies like bluetooth and even wireless Internet access, but has not addressed the real possibilities of hacker infiltration into vehicle systems," a summary of the report says. The summary also cites "the widespread collection of driver and vehicle information, without privacy protections for how that information is shared and used."

The questions were posed to the automakers last year by US Senator Edward Markey, who acted out of concern over potential connected-car security risks.

“Drivers have come to rely on these new technologies, but unfortunately the automakers haven’t done their part to protect us from cyber-attacks or privacy invasions," Markey said in a press release.

The US politician, who is a member of the Senate Commerce, Science and Transportation Committee, said clear safety and privacy rules need to be established by regulators, industry and cyber-security experts working together.

With regard to hacking vulnerabilities, the report identified four trends:

  • Nearly all cars rely on wireless technologies that are potentially vulnerable
  • Most carmakers were unaware of or unable to report on past hacking incidents
  • Security measures are inconsistent and haphazard across the different automakers
  • Only two carmakers appeared to have the capabilities to diagnose or "meaningfully" respond to a real-time infiltration.
The Markey report also cited four trends related to privacy:
  • Car brands collected "large amounts of data" on driving history and vehicle performance
  • A lot of this data is wirelessly transmitted to data centers, most often without effective security
  • Data is used in various ways by automakers without clear explanations
  • Customers often aren't explicitly made aware of this and often cannot opt out without disabling valuable features, such as navigation.
The report comes a few weeks after the ADAC, Germany’s largest automobile club, discovered a potential security gap in the data transmissions to and from BMW's connected vehicles. The German carmaker responded quickly to the report and closed the security gap with “a new configuration.”

In November 2014, car manufacturers operating in the US agreed on a set of guiding principles for connected car data, but Markey said they fall short in a number of key areas. The agreement doesn't offer explicitly assurances of choice and transparency, he said.

-By Arjen Bongard