Washington, District of Columbia

HomeDistrict of ColumbiaWashington

Email Jonathan Nace Jonathan Nace on LinkedIn
Jonathan Nace
Jonathan Nace
Attorney • (202) 930-0292

Is Your Car a Privacy Leak

Comments Off

Imagine driving down the highway and all of a sudden your radio – magically! – starts changing its own channel.  Then, your wipers go.  You chuckle.  However, then your GPS system tells you that you are in a far away land from your true location, and finally your car slows to a crawl despite your attempts to put the pedal to the metal.  You may have heard privacy advocates talk about the “Internet of Things” (IoT), and finally it seems awareness is growing.

The Washington Post has reported on a the failures of automobile manufacturers to even consider cyber security, even as they turned cars into a computer with wheels.

Cars sold today are computers on wheels, with dozens of embedded chips running millions of lines of code. These vehicles can talk to the outside world through remote key systems, satellite radios, telematic control units, Bluetooth connections, dashboard Internet links and even wireless tire-pressure monitors. Security experts call these systems “attack surfaces,” meaning places where intrusions can start.

* * *

The overall security on these automotive systems is “15 years, maybe 20 years behind where [computer] operating system security is today. It’s abysmal,” said researcher Peiter Zatko, who once directed cybersecurity research for the Pentagon’s Defense Advanced Research Projects Agency (DARPA) and now is developing an independent software security research group.

Ok, so what.  Your car internet security is not tip-top.  Is someone really going to try to stop your car in its tracks for no reason?  Maybe not, but in a connected world, consumers need to be more aware that data is power, and whoever controls the data has the upper-hand.

Attackers don’t need to crash cars to cause trouble. A jealous, malicious hacker could use a vehicle’s navigation system to track his spouse’s movements while remotely activating the built-in microphone to secretly record conversations that happen in the car. Thieves are already using mysterious “black boxes” that, through the radio signals that control modern entry systems, unlock cars as the crooks walk by; some simply climb in, start the engine and drive away.

The next wave of attacks, researchers say, could include malicious software delivered over the Internet to disable your car’s engine, with the sender offering to revive your vehicle for a few hundred dollars. Or the new generation of wireless links between cars and their surroundings — designed to improve traffic flow and avert crashes — could enable drive-by hacks. Imagine a single infected WiFi beacon on a stretch of highway delivering a virus to every passing vehicle.

These problems aren’t just coming; they are here.  And automakers are far behind.  Its why a few in Congress are attempting to compel auto manufacturers to abide by new standards of cybersecurity.

Two U.S. senators are proposing the SPY Car Act of 2015 to create privacy standards for computer systems that control today’s generation of electronics-heavy vehicles just as a Wired.com contributor reports hackers who set him up in a new vehicle were able to take over its controls while he was driving at 70 mph.

The SPY Car Act is proposed by “Sens. Edward Markey, D-Mass., and Richard Blumenthal, D-Conn., to ‘establish cybersecurity and privacy requirements for new passenger vehicles. And inform consumers about the risks of remote hacking.'”  The SPY Car Act can be found here.  As WND sums up:

The SPY Car Act, or the Security and Privacy in Your Car Act of 2015, would require new cars to meet cybersecurity standards.

“All entry points to the electronic systems of each motor vehicle manufactured for sale in the United States shall be equipped with reasonable measures to protect against hacking attacks,” it states.

And it requires any motor vehicle “that presents an entry point shall be equipped with capabilities to immediately detect, report and stop attempts to intercept driving data or control the vehicle.”

The requirements would include a “cyber dashboard” that would inform consumers “about the extent to which the motor vehicle protects the cybersecurity and privacy of motor vehicle owners, lessees, drivers and passengers beyond the minimum requirements set forth” in the law.

It also provides for the privacy of information collected by any monitor on the vehicle installed by the manufacturer.

Its a good attempt to start to put consumers back in control of their own information.  Cars may be the biggest source of geo-location data that could be held against consumers.  Its time car manufacturers realized that if they want to sell internet connected devices, they need to protect the consumers’ privacy.