Millions of Cars Vulnerable to Hackers, Warns Report

As owners of more than 2 million BMW vehicles recently learned, hackers are now targeting automobiles, and the problem is likely to get worse, warns a new report, reported The Detroit Bureau.

The study, overseen by Sen. Edward Markey, a Massachusetts Democrat, comes at a significant time, with automakers loading their vehicles with an assortment of new electronic features – from digital safety systems to wireless infotainment technologies. And over the coming decade, a number of manufacturers are looking to launch new autonomous systems that could allow hands-free driving – and even bigger opportunities for hackers.

“Drivers have come to rely on these new technologies, but unfortunately the automakers haven’t done their part to protect us from cyberattacks or privacy invasions,” Sen. Markey said in a statement.

The release of the report came barely a week after Germany’s BMW revealed it was addressing a security flaw that could have given hackers the ability to remotely unlock the doors of 2.2 million vehicles sold by the BMW, Mini and Rolls-Royce brands.

There have been some reports – as yet unverified – that thieves in Europe and the U.S. have figured out how to clone the digital signals used by wireless keyfobs to unlock vehicle doors and even start vehicles remotely. In lab situations, researchers have gone even further, accessing critical vehicle functions on some models, allowing them to sound horns, operate headlights, alter gas gauge and speedometer readings, even causing vehicles to accelerate without the driver’s input.

While the problem is today a relatively low risk, Karl Heimer, the senior research director at the Battelle Center for Advanced Vehicle Environments, recently told TheDetroitBureau.com, “You will see an increase in attacks” as manufacturers continue to add more technology and offer hackers greater opportunity to access personal data and steal vehicles.

Until recently, there were relatively few opportunities for hackers to access the electronic systems on a vehicle. And manufacturers traditionally isolated vehicle control and entertainment systems. But the barriers have been falling on some of the latest vehicles. And the Markey report notes there are a growing number of channels through which hackers could gain entry.

These include wireless Bluetooth and 4G LTE Internet systems that are becoming more and more commonplace. But there are also less obvious access points, include keyless entry and remote start systems, satellite navigation devices, even the wireless tire pressure monitoring systems now required by federal law.

A number of vehicles also have wired access points, including USB ports. Some automakers, such as Ford’s Lincoln brand, make it possible to update vehicle systems by accessing those USB ports.

The study warned “there is a clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle or against those who may wish to collect and use personal driver information.”

Industry officials insist they are well aware of the potential problem and are taking steps to deal with it.

“Our members already are each taking on their own aggressive efforts to ensure that we are advancing safety,” the Alliance of Automobile Manufacturers said in a statement. Meanwhile, the group noted that the Society of Automotive Engineers has set up a committee to draft “standards and best practices to help ensure electronic control system safety.”

Hacking is actually just one of the issues that have come up in recent months. Early last year, Jim Farley, then Ford’s global head of marketing, created a furor when he told an audience that the maker extensively tracks what motorists do when behind the wheel. Ford later tried to backtrack.

But according to the Markey study, of 16 manufacturers surveyed, half said they regularly upload driving history data from vehicles to a central database. Some said they are using personal information to enhance the “customer experience.”

The new study was based on responses from BMW, Chrysler, Ford, General Motors, Honda, Hyundai, Jaguar Land Rover, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Toyota, Volkswagen-Audi and Volvo. Aston Martin, Lamborghini and Tesla did not participate.

According to Sen. Markey, automakers, government and cyber-security experts need to jointly “establish clear rules of the road — not voluntary agreements — to ensure the safety and privacy of 21st-century American drivers.”

The report was released at the same time the CBS news magazine, 60 Minutes aired a segment showing how a researcher was able to hack into a vehicle driven by correspondent Lesley Stahl to disable its brakes, blow its horn and turn on its wipers.

While the program cautioned there have been no known cases of hackers stealing or taking control of a vehicle, it suggested that the opportunity is there, noting, “You can find software to do that online for $25.”