Democratic Senator Ed Markey (D-MA) has published a report after questioning 20 automakers about the security of their cars' internal networks – and how much personal data they store. The results aren't great.
In short, as we've long suspected, the computers in today's cars can be hijacked wirelessly by feeding specially crafted packets of data into their networks. There's often no need for physical contact; no leaving of evidence lying around after getting your hands dirty.
This means, depending on the circumstances, the software running in your dashboard can be forced to unlock doors, or become infected with malware, and records on where you've have been and how fast you were going may be obtained. The lack of encryption in various models means sniffed packets may be readable.
Key systems to start up engines, the electronics connecting up vital things like the steering wheel and brakes, and stuff on the CAN bus, tend to be isolated and secure, we're told.
The ability for miscreants to access internal systems wirelessly, cause mischief to infotainment and navigation gear, and invade one's privacy, is irritating, though.
"Drivers have come to rely on these new technologies, but unfortunately the automakers haven't done their part to protect us from cyber-attacks or privacy invasions," said Markey, a member of the Senate's Commerce, Science and Transportation Committee.
"Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected. We need to work with the industry and cyber-security experts to establish clear rules of the road to ensure the safety and privacy of 21st-century American drivers."
Of the 17 car makers who replied [PDF] to Markey's letters (Tesla, Aston Martin, and Lamborghini didn't) all made extensive use of computing in their 2014 models, with some carrying 50 electronic control units (ECUs) running on a series of internal networks.
BMW, Chrysler, Ford, General Motors, Honda, Hyundai, Jaguar Land Rover, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Toyota, Volkswagen (with Audi), and Volvo responded to the study. According to the senator's six-page dossier:
- Over 90 per cent of vehicles manufactured in 2014 had a wireless network of some kind – such as Bluetooth to link smartphones to the dashboard or a proprietary standard for technicians to pull out diagnostics.
- Only six automakers have any kind of security software running in their cars – such as firewalls for blocking connections from untrusted devices, or encryption for protecting data in transit around the vehicle.
- Just five secured wireless access points with passwords, encryption or proximity sensors that (in theory) only allow hardware detected within the car to join a given network.
- And only models made by two companies can alert the manufacturers in real time if a malicious software attack is attempted – the others wait until a technician checks at the next servicing.
There wasn't much detail on the security of over-the-air updates for firmware, nor the use of crypto to protect personal data being phoned home from vehicles to an automaker's HQ.
Unsurprisingly, security experts consulted by the senator noted that all the cars, save for motors built by one manufacturer, can be hacked using previously published techniques. Firewalls check where the data is coming from, but not the content of the packets, allowing malicious payloads to slip through undetected – and the ECU watchdog software was basic in the extreme.
Markey noted that the Alliance of Automobile Manufacturers and the Association of Global Automakers had adopted a voluntary code to deal with computer security issues in cars (a mere two years after networked cars were found to be vulnerable to attack).
On the privacy side, all of the 2014 models put out by car makers that responded to the survey collect some form of information from their customers, with 25 per cent storing it on the car and half transmitting it back to corporate servers, where it is kept for up to ten years in one case.
All of these data collection systems are mandatory, and one manufacturer said it felt consumers shouldn’t even be told records was being kept, Markey's report states. The permission to slurp up this potentially sensitive data is usually mentioned in the purchase contract or owner's manual, and two manufacturers claim to have systems in place to allow customers to delete some of the information if they choose.
While the report is a good roundup of where we are in the way of computer security, it does miss one security defense – a basic intrusion detection system (IDS) that triggers when people break into a vehicle's networks.
Car hacker extraordinaire Charlie Miller demonstrated his IDS gizmo at the Black Hat conference in August, dubbed the Can-no hackalator 3000, which can be cobbled together with spare parts to monitor the internal behavior of the networks within a car.
"IDS sucks in computers, but it turns out they work for cars because cars are simple," said Miller at the time.
In response to a question from El Reg on Monday, Miller claimed his IDS device "stops all known attack techniques," and based on his presentation would be easy to install. Given Senator Markey cited Miller's earlier hacking work in his report, it's surprising the latter's defense mechanism was overlooked. ®