Cars and trucks today are computers, and a new report overseen by Sen. Ed Markey, D-Mass., comes with a warning: As more vehicles have wireless connections, the data stored in them is vulnerable to stealing, hacking and the same invasions faced by any technical system today.
How safe are we in our connected cars?
Markey's office sent inquiries last year to 20 automakers, including Ford, Toyota and General Motors, asking what the companies were doing to secure the technology in their vehicles from cyberattack and how they manage personal data stored in cars. The report finds that while it hasn't happened yet, a hacker could remotely and wirelessly access a vehicle's computers through Bluetooth systems, OnStar systems, malware in a synced Android phone or even a malicious file on a CD in the stereo.
Automakers have insisted they're putting driver safety and security first; in November, two trade groups representing automakers unveiled a set of principles intended to protect security.
"Auto engineers incorporate security solutions into vehicles from the very first stages of design and production — and security testing never stops," Wade Newton, a spokesman for the Alliance of Automobile Manufacturers, said to the Detroit News. His trade group represents Detroit's Big Three automakers, Toyota, Volkswagen and others.
Markey spoke to NPR's Robert Siegel about the threats to motorists today, the threats to come and what should be done to protect us.
Your report documents how it is possible to enter the computer systems of a car and do things to the car. Does this happen in the real world yet?
Not yet, but it's proven that it can happen. But we're in a world where no one had ever thought that a hacker could get into all the health care records of the biggest companies in America, that they could hack into the defense systems of the country. We can wait until criminals don't need a crowbar to break into your car, that they'll just need an iPad, but we can begin right now to say to the auto manufacturers: Build in the security that makes that very difficult.
The auto manufacturers and sometimes third parties collect vast amount of data. What are automakers doing with that data?
This information is gathered about every single driver in the country as they're driving and parking. And it's gathered by the automotive industry. It's stored, but no one really knows the level of security that's built around that information, no one knows whether they give that information to third parties, no one knows what security the third parties build around that information. So I'm opening this question so we can begin the discussion of what are the safeguards that should be put on the books for the drivers in this country in the modern, post-combustion engine era.
OnStar assists us in an emergency. Most of the other functions we're talking about have to do with entertainment or convenience. Should motorists be prepared to sacrifice some amusement or convenience for security?
No, it's a false choice. It's the same choice that automotive manufacturers were trying to give to drivers back in the 1960s and 70s about air bags and seat belts. They were saying it was going to add dramatically to the cost of the vehicle and consumers would not want that. When in truth once they were given that additional protection people now automatically use those safety devices. Well we need the same kinds of safety devices for the information.
Are the insurance companies involved in this problem?
I think the information would be very interesting to insurance companies. It could help them to understand the individuals' driving habits. But it requires ultimately permission to be given to them by the driver. This should not be a decision that should be made by automakers. Perhaps it's even profitable for the auto industry to share that information with the insurance industry. But I don't think Americans should have their privacy compromised for the private gain of insurance companies or auto companies.
The CEO of Ford has said that Ford would disclose whatever information it collected. Is disclosure sufficient, or should there be a stronger guarantee than that?
I think it should be both. I think if a automotive manufacturer is able to build in Bluetooth and keyless entry and remote start and navigation and Wi-Fi, then they should also be able to build in software packages which protect privacy and safety of drivers. That's what this debate should be all about.