Senator Proposes New Rules of the Road for Connected Cars That Leave Drivers Open to Invasions of Privacy and Cyberattack
When Ralph Nader’s Unsafe at Any Speed was published half a century ago accusing car manufacturers of resistance to spending money on safety, it caused a sea change in the auto industry. No. Not amphibious cars. But, it did lead to mandatory seat belt laws and the introduction of a host of other safety features.
Recently Sen. Ed Markey of Massachusetts released a report on the risks of cyberattack and loss of privacy posed by cars connected to the Internet. In a statement, he warned that “automakers haven’t done their part to protect us from cyber-attacks or privacy invasions [adding that even] as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected.”
In her piece on washingtonpost.com, Andrea Peterson explores the many questions raised by the new Internet of Things smart cars and a few answers. The following has been excerpted from her piece and edited to fit our format. You may find the full article by clicking on this link.
Who’s foot is on the brake pedal?
Cybersecurity experts have long warned that cars’ electronic systems might be vulnerable to hackers, especially as auto-makers started building wireless connections to the outside world into vehicles. Researchers Charlie Miller and Chris Valasek demonstrated how to take over the steering and brakes of a Ford Escape and a Toyota Prius using a laptop connected to the vehicles with a cable in 2013.
Many attack surfaces
Last year, the pair released a report detailing the wireless “attack surfaces” of a wide variety of vehicles on the market — things like Wi-Fi, keyless entry systems, and Bluetooth that might be targeted by a malicious hacker.
Inconsistent and haphazard
Nearly all cars on the market “include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions,” according to Markey’s report…. Security measures to prevent remote access to a car’s electronic systems are “inconsistent and haphazard across all automobiles” and many manufacturers “did not seem to understand” the questions the legislator was asking. However, most manufacturers were either unaware or unable to report on previous hacking incidents.
Other groups have raised concerns about the security practices of auto-makers. I am the Cavalry, a group focused on where computer security intersects with physical safety, has urged vehicle manufacturers to adopt a five-star-style rating system for security best practices, akin to the ratings for traditional vehicle safety.
Your car is listening
The report also found that modern cars collect a significant amount of information on driving history and that drivers often cannot opt out of data collection without disabling features such as navigation. “A majority of automakers offer technologies that collect and wirelessly transmit driving history data to data centers, including third-party data centers, and most do not describe effective means to secure the data,” it said.
Markey calls for new regulatory standards
[Markey] calls for the National Highway Traffic Safety Administration to set new regulatory standards with input from the Federal Trade Commission. The standards should ensure that car’s wireless and data-collection features protect against hacking and security breaches, require that carmakers test their systems with penetration testing, require drivers be explicitly told about how data is collected and used, and give drivers a way to opt out of such features, the report argues.
Rules of the road enforced
“We need to work with the industry and cyber-security experts to establish clear rules of the road – not voluntary agreements – to ensure the safety and privacy of 21st-century American drivers,” Markey said.
ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.
ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.
The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.
For more information, visit www.threatmetrix.com or call 1-408-200-5755.