The Scary Things Hackers Can Do to Your Car
Nearly all new cars on the market include wireless technology that make drivers vulnerable to hacking or an invasion of privacy, according to a report released today.
The report, titled “Tracking and Hacking: Security and Privacy Gaps Put American Drivers at Risk,” was released by Sen.Edward Markey, D-Mass.
For the report, he used feedback from the 16 major car manufacturers who responded, including BMW, Chrysler, Ford, General Motors, Honda, Hyundai and Jaguar Land Rover.
As for the security concerns, one expert expressed sentiments similar to Markey’s.
“Automobiles have become increasingly more connected, creating both opportunities as well as vulnerabilities, through wireless networks,” credit security expert Adam Levin, chairman and founder of IDT911, told ABC News today.
Though Markey and Levin didn’t cite actual incidents, here are some things that hackers could do potentially with access to your car and its information:
1. Car movement
In a 2013 Defense Advanced Research Projects Agency (DARPA) study cited by Markey, researchers used a laptop to see how they could control two cars from different manufacturers. They were able to cause the cars to “suddenly accelerate, kill the brakes, activate the horn” and more, according to the report.
Levin said the frightening scenarios of thieves stealing property or exposing drivers and their children to carjacking by unlocking car doors or imprisoning them by locking the doors are within reach. He adds that exposing drivers to accidents is another malicious activity that could happen.
2. Modify car indicators
In the same 2013 DARPA study, the researchers could also modify the speedometer and gas gauge readings and control the headlights. Last year, the same researchers analyzed the “hackability” of 21 different car models from 10 manufacturers and found varying levels of security for each car with respect to wireless entry points.
Of the 16 car makers that responded to Markey’s letter, 14 provided the percentage of 2013 model year cars that have wireless entry points and projections for their 2014 vehicles. Eleven of those 14 said 100 percent of their cars have wireless entry points and some cited the federal mandate for tire pressure monitoring systems as the major contributor.
3. Reading data
While car manufacturers sometimes collect data from vehicle technologies to improve safety or the customer experience, others could access driver data for malicious purposes, the report states. The report mentions previous research that shows one can “remotely and wireless access a vehicle’s network through Bluetooth connections, OnStar systems, malware in a synced Android smartphone, or a malicious file on a CD in the stereo.”
“While I understand that vehicle manufacturers have begun the process of exchanging threat assessments and are communicating more with transportation safety officials, it is critical that we treat this matter with urgency,” Levin told ABC News.
Markey refers to the increasing use of navigation or other technologies that could be used to record someone’s location or driving history.
“A number of new services have emerged that permit the collection of a wide range of user data, providing valuable information not just to improve vehicle performance, but also potentially for commercial and law enforcement purposes,” the report states.
5. Disabling a car
Car dealerships and navigation systems providers also use “remote disabling” to track and disable cars if drivers fall behind on payments, or if cars are stolen.
Millions of these devices are on the road, including the PassTime GPS tracket that helped catch Delvin Barnes, accused last year of kidnapping Carlesha Freeland-Gaither of Philadelphia.
Corinne Kirkendall, vice president of compliance and public relations for PassTime, told ABC News in November that the company requires dealers to obtain written consent from drivers acknowledging that the device is on the car and how it is used. All dealers must follow laws regulating the collection of personal information, she said.
Spokesman for the Alliance of Automobile Manufacturers Wade Newton said the trade group hasn’t fully reviewed the report but released a statement that said, “Manufacturers today employ a variety of methods to provide consumers with clear notices of their privacy practices, including through owner’s manuals and company websites.”
“Auto engineers incorporate security solutions into vehicles from the very first stages of design and production – and security testing never stops,” Newton said in the statement.
In January, the alliance, an association of 12 major manufacturers, signed on as a “Champion of Data Privacy Day 2015.”
Shhh! Your smart TV is eavesdropping on you
“Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition,” the policy states.
Samsung says it uses “industry-standard security safeguards and practices, including data encryption” to secure users’ personal information, and notes that users can disable voice commands or turn off Wi-Fi connectivity entirely. (See the bottom of this article for the full statement.) Still, that hasn’t stopped the inevitable comparisons to George Orwell’s 1984, suggesting that we’re well on the way to a dystopian future.
Why this matters: It’s worth noting that Samsung only sends voice data when you’re actually telling the TV to do so (for instance, by hitting the microphone button on the remote control), so the comparisons to Orwell’s omnipresent recording boxes are a bit overblown. Still, Samsung’s policy of shipping the data off to a third party with no guarantees of its privacy is unsettling, especially given the government’s interest in the connected home as a potential trove of personal data.
Can you trust your TV?
On a broader level, Samsung is contributing to the idea that smart TVs (and for that matter, all connected home devices) are not to be trusted.
Concerns over the safety of smart TVs date back to at least 2012, when hackers demonstrated the ability to take over televisions with built-in cameras and microphones. But more recently, the real disturbing behavior has come from TV makers themselves.
In 2013, for instance, LG was caught uploading information on file names from USB and networked storage devices, even for users who had opted out of having their viewing information collected. LG eventually disabled the data transmission through a firmware update, but only after the U.K. government started asking questions. Its smart TVs also transmit your every word to offsite servers when listening for instructions.
Still, some manufactures require users to share other kinds of information, such as viewing habits, in order to access any Internet-based features. Opt of out sharing that data with LG or Toshiba, for instance, and you won’t be able to watch Netflix.
In most cases, TV makers are just looking to squeeze out some more ad revenue while their hardware margins shrink. While Samsung’s snooping case seems a bit different, it’s not helping to restore trust in these supposedly smart televisions.
Update 2:00 P.M. EST: Samsung provided the following statement:
“Samsung takes consumer privacy very seriously. In all of our Smart TVs, any data gathering or their use is carried out with utmost transparency and we provide meaningful options for consumers to freely choose or to opt out of a service. We employ industry-standard security safeguards and practices, including data encryption, to secure consumers’ personal information and prevent unauthorized collection or use.
Voice recognition, which allows the user to control the TV using voice commands, is a Samsung Smart TV feature, which can be activated or deactivated by the user. Should consumers enable the voice recognition capability, the voice data consists of TV commands, or search sentences, only. Users can easily recognize if the voice recognition feature is
activated because a microphone icon appears on the screen.
Samsung does not sell voice data to third parties. If a consumer consents and uses the voice recognition feature, voice data is provided to a third party during a requested voice command search. At that time, the voice data is sent to a server, which searches for the requested content then returns the desired content to the TV. Samsung encourages consumers to contact the company directly with any product concerns or questions at 0330 726 7864.”