Vehicle cyber safetyLawmaker wants to know how cyber-safe vehicles are

Senator Ed Markey (D-Massachusetts) has asked twenty automobile manufacturers to submit details of their plans to prevent vehicles from wireless hacking attempts, as well as plans to prevent violations of driver privacy.

“I write to request information regarding your company’s protections against the threat of cyberattacks or unwarranted invasions of privacy related to the integration of wireless, navigation and other technologies into and with automobiles,” Markey wrote in a letter to Daniel Akerson, the CEO of General Motors.

According to TomsGuide, Markey wants automobile manufacturers to apply computer-industry security processes and technology — including anti-virus software, incident logging, incident-response planning, software vulnerability patching, and third-party penetrating testing — to mass produced vehicles.

“Today’s cars and light trucks contain more than fifty separate electronic control units (ECUs), connected through a controller area network (CAN) or other network,” Markey said. “Vehicle functionality, safety and privacy all depend on the functions of these small computers, as well as their ability to communicate with one another.”

Letters were sent to the heads of the North American divisions of Aston Martin, Audi, BMW, Chrysler, Ford, Honda, Hyundai, Jaguar Land Rover, Lamborghini, Mazda, Mercedes Benz, Mitsubishi, Nissan, Porsche, Subaru,Tesla, Toyota, Volkswagen, and Volvo (Audi, Lamborghini, Porsche and Volkswagen share ownership).

In his letter, Markey cites a recent study by the Defense Advanced Research Projects Agency (DARPA), in which “Charlie Miller and Chris Valasek demonstrated their ability to directly connect to a vehicle’s computer systems, send commands to different ECUs through the CAN and thereby control the engine, brakes, steering and other critical vehicle components.”

Miller and Valasek, in the study funded by the Pentagon, opened up dashboards and took control of a Toyota Prius and a Ford escape (see “Cars’ computers could be the next targets of cyberattacks,” HSNW, 31 July 2013). Since the study demonstrated automobile hacking through direct contact with the vehicles, the vulnerabilities discovered are not addressed by Markey’s letter to the automobile manufacturers, which focuses on wireless hacking of vehicle control systems.

Ford and Toyota dismissed Miller and Valasek’s research as unrealistic and unlikely in a real world scenario; which highlighted Markey’s questions about wireless hacking. “Both companies reportedly noted that the researchers directly, rather than wirelessly, accessed the vehicles’ computer systems,” Markey wrote, “and referred to the need to prevent remote hacking from a wireless device.” Markey also noted instances in which vehicle systems have been hacked wirelessly. Hackers have access vehicle ignition systems using text messages, modified smartphone apps, and specially crafted audio CDs.

Markey’s questions to automobile manufacturers include the following:

• How many vehicles in its 2013 and 2014 production fleets have wireless access.
• What kind of consumer-accessible vehicle computer systems are present, including Wi-Fi, Bluetooth, smartphone integration, Web browsers, OnStar and similar cellular systems, as well as vehicle-to-vehicle communications.
• Whether the vehicles have been subjected to third-party penetration tests.
• Whether any kind of dedicated security technology is in place.
• What kind of security breaches have already occurred.
• Whether the company has procedures to mitigate incidents and push out software patches.

Markey also asked each automobile manufacturer questions relating to collection, storage, and distribution of information collected by in-car systems relating to driver behavior and history, navigation, location, speed, and mileage. Markey wants to know whether collected information is shared with law enforcement, debt-collection agencies, insurance providers, auto dealers, auto-rental companies, or sold to third parties. Markey then asked how many vehicles contain technology such as General Motors’ OnStar, which could remotely shut down a vehicle.

The companies have been asked to respond to Markey by 3 January 2014. The Auto Allinace, an association of automobile manufacturers whose twelve members were sent letters by Markey, issued a statement insisting that “cybersecurity is among the industry’s top priorities and the auto industry is working continuously to enhance vehicle security features.”