Cars Are Delivering Tons Of Driving Data To Manufacturers With Minimal Security And Even Less Transparency

from the introducing-the-2015-Lexus-CI dept

Nothing’s driving the acquisition of data faster than, well, driving. As new technology makes its way into vehicles, so does the apparent desire to harvest information about the vehicle itself. Between the outside harvesting (automatic plate readers that gather plate/location data, as well as photos of vehicle occupants) and the “inside” transmissions, there’s very little any number of unknown entities won’t know about a person’s driving habits. And that’s not even including what’s transmitted and collected by drivers’ omnipresent smartphones and their installed apps.

Sen. Edward Markey has expressed some alarm at the amount of data being collected (and distributed) by vehicle manufacturers. His office has produced a report [pdf link] showing that while many manufacturers are involved in collecting data, very few of them seem concerned about the attendant risks. Even worse, many respondents to his office’s questionnaire seem to show very little understanding of the underlying technology and most have not made an effort to fully inform customers as to how much is being collected or how it’s being distributed.

Drivers of today’s connected cars aren’t going to like the report’s findings.

Nearly 100% of cars on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.

While some basic security measures have been implemented, the fact remains that transmitting data always poses a risk. Three of the 14 manufacturers that responded to Markey’s questions had actually let their security measures stagnate or decrease from 2013 to 2014, even as the amount of data transmitted rose. Worse, many of the respondents deployed security measures in a “haphazard and inconsistent” fashion, and nearly all respondents seemed unable to fully process the questions posed by Markey’s office.

Of the 16 automobile manufacturers that responded to the letter, 13 of them addressed these questions in some way. Chrysler, Mercedes-Benz, and Mazda did not respond to the question at all, and five other manufacturers provided general responses that addressed the question as a whole instead of providing specific responses to the questions’ sub-parts.


Seven of the manufacturers stated that they use third-party testing to verify their security measures, while 5 stated that they do not and 4 did not respond to this part of the question.


The manufacturers were also asked about how they secure this type of software delivery [updates/patches]. Each manufacturer responded with descriptions of how they provide such software through authorized dealers with the appropriate tools. Automobile security experts consulted by Senator Markey’s staff said that all of the responses are similar in that they presume a malicious actor could not access or acquire the technologies that mechanics have. They state that software updates for systems should be cryptographically verified by the ECU being updated in order to effectively prevent intrusions.

These four-wheeled tracking devices are collecting and transmitting tons of data, including GPS location, sudden accelerations/decelerations, seatbelt usage, destinations entered into navigation systems, last location parked, distance and time traveled and a variety of information on other driving components. Almost all of this is transmitted back to the manufacturer for their own use.

Nearly 100% of 2014 vehicles record and transmit driving history. Most of these manufacturers could not provide a satisfactory answer as to how they secure this data during transmission and more than half store this information “off-board” at their own data centers. Manufacturers seem to consider “on-board” collections as inherently secure.

In the case of on-board storage, no manufacturer described any security system to protect that data, and several of them noted that no security measure is needed since accessing data would require a hardwire connection.

But that doesn’t mean they treat wireless transmissions with much more care.

Regarding security measures to protect data that is wirelessly transmitted outside the vehicle, only 6 responses were received. Of those, 5 provided vague responses naming encryption, passwords, or general IT security practices, and only 1 specifically mentioned that they designed their systems to limit the transfer of personally identifiable information.

Part of this is due to the fact that automakers’ security measures are purely voluntariy at this point. But the fact that it would likely take a federal mandate to improve security is disappointing. Not only are manufacturers less than forthcoming about how much data they’re collecting, but they’re apparently uninterested in providing a minimal level of customer service, i.e., proactively assuring these data transmissions are secure.

As for the data harvesting itself, manufacturers can’t seem to find a better justification for this than “improving the customer experience” — a phrase pretty much synonymous with “selling customers more stuff” or “collecting for collecting’s sake.” Most manufacturers retain this data for one to ten years, with only one manufacturer offering the option for users to delete their data at any time. But that single nod to customer agency is far outweighed by the general indifference shown by the rest.

Markey’s report finds that purchasers may be allowed to “opt out” of certain collections, but this often comes at the expense of certain functions. No manufacturer presents this information up front, preferring to hide it in owner’s manuals and terms of service agreements. The default should be “opt-in,” with upfront explanations of what, how and why data is collected. But that would lead to a dearth of information, and automakers, like many other private companies, prefer to gather data first and deal with the fallout later.

Although it goes unmentioned in Markey’s report, there’s also the question of how this data is handled when the government comes looking for it. Most of what’s collected would presumably fall under the Third Party Doctrine (with drivers “knowingly” turning this information over because of page 173 in the owner’s manual, etc.), which means it can be acquired by law enforcement/intelligence agencies with minimal effort/paperwork. There are also other government intrusions that need to be considered as well, like California’s desire to tie state-enforced emission standards to driving information already gathered by a number of manufacturers. Not only are manufacturers not guarding against having their collections hijacked by criminals, they seem equally unconcerned about safeguarding this vast amount of data from the government itself.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Cars Are Delivering Tons Of Driving Data To Manufacturers With Minimal Security And Even Less Transparency”

Subscribe: RSS Leave a comment
Anonymous Coward says:

It’s not exactly voluntary. If you want to get a decent price on car insurance, you must install these transmitters to the car’s electonics service port (and never remove them — or get a nasty letter) so you basically give up all privacy to “Big Brother” — and you can bet that these complete driving logs will be accessible to anyone on demand.

Dan G Difino says:

Re: Re:

Maybe the folks over at Tesla will give us all for a price what a lot of us are hoping for, a Tesla Revolution Model. The day I need autonomous vehiclular control technology to park my car or apply breaks for me or automatically slow down my pace while bells are buzzing and that obnozious computer drone voice is warning me, “This vehicle is travelling too fast” or, “Watch out for the pelican on the right” or some nosy search engine selling my driving data to more advertising bums will be.. let’s see.. N E V E R !

Anonymous Coward says:

How is this data being collected?

This article makes it sound like car manufacturers are collected data from every driver on a massive scale, but how are they capable of doing that? By my understanding, that would require equipping every car with a cellular antenna and some kind of data plan. To my knowledge, none of my cars are thusly equipped.

Anonymous Coward says:

Re: How is this data being collected?

Just because you don’t have a data plan doesn’t mean the capacity isn’t there. My car came with Sirius Satellite Radio installed, including the antenna on the roof. I never subscribed and thus get no stations. I still get offers from time to time and never do them. But the equipment – and thus capacity – still exists.

So how do I know my car doesn’t have a hidden cel antenna? I don’t. Unless I want to tear the whole thing apart.

Anonymous Coward says:

Re: Re: Re: How is this data being collected?

For what it’s worth, I drive a 2008 Prius T Spirit. I am regularly shocked whenever using the built in SATNAV, a voice pipes up and informs me that 4 miles down the road there’s “congested traffic”. The Prius could only know this IF it had a means of receiving this data over the air. I also know that the Prius records what the driver does and stores the information for maintenance engineers to analyse if need be. And that’s a 2008 vehicle!

Anonymous Coward says:

Re: How is this data being collected?

Every new car in the US has a cell plan that the manufacturer included. Most are never turned on or even known to you, but they allow 2 way communication and even voice to text conversion so it becomes a giant listening device. The care makers can make more money selling this data than the bulk plan rates will ever cost them…

Anonymous Coward says:

Re: Re: Re: How is this data being collected?

cell phone plans only cost normal people. If you are buying millions of data only plans with older connection standards, you could pay less than $50 a year. Remember many Kindles and other devices come with free cell connection for life, even though you don’t pay for that directly. It is all built into the computing system. Look into current car hacking worries to see if your car is vulnerable.

Jack says:

Re: How is this data being collected?

Almost all cars being produced today (even the cheap ones) come with built in Wi-Fi. Of course, you have to pay for a data-plan with the manufacturer to use it yourself, but the 4G Modem is always turned on and always transmitting nearly everything about your car. Everything that can be read from the ECU and GPS can be sent to the manufacturer. Also, ECUs have serial numbers that can be tied to the VIN (which is tied to you through the sale of the car, DMV, insurance, etc.) and can also be sent back to the manufacturer.

Every station you play on Pandora (main selling point of 4G in the car), every search in Google, your voice, everywheer you go, how fast you drive, how hard you corner, how hard you slam on the brakes, etc. can be sent to the manufacturer and sold to insurance companies, advertisers, and given away to Law Enforcement.

Now that car seats can record weight as well, they will be able to ID the driver in the car. Welcome to a world where cops won’t even need to pull you over to give you a ticket for speeding – they will just send you one in the mail.

Also, a lot of cars have cameras that watch your face so they can beep if you close your eyes or look away and most cars now have voice recognition. They can spy on all that…

Anonymous Coward says:

Re: Re: Re: How is this data being collected?–new-wifi-receiver–built-i.html

That’s the 2 big American companies – Chevy promises a full 4g LTE in their entire lineup within the next couple years and already has almost every 2015 car…

Dan G Difino says:

Re: Re: How is this data being collected?

Two people have rammed me from behind while they were texting. One even hit my vehicle while it was parked legally on the side of the street. I want to sue the entire texting industry for creating a bunch of idiots driving recklessly everywhere while texting. Are you hearing me? Can I get a witness?

ECA (profile) says:

Questions Questions

1. how do they get the data, Wireless, Wired, Collected over time?
2. HOW do they get a vehicle to GOTO a station to have data gathered? Interesting? that your car has Full Ram, and starts running like CRAP, so you goto a Local dealer to have service..And CHARGED to have it read..
3. UPDATE my cars computer? CHANGE how it runs?? Without My knowledge??
4. wireless UPDATES??? NO NO NO NO NO…
5. wireless Bypass into my OWN net?? Cellphone service?? WHo is paying for this?

Odds are that it collects data, and then causes the care to hiccup, so you have to take it into the shop, then be charged $50+ to read the data to be sent…from That point, they can do alot of things to you.. Ever wonder WHy the service light goes on, every 5000 miles?

Anonymous Coward says:

Re: Questions Questions

Your service light goes on every 5000 because you have to get an oil change.

There is absolutely no reason to think that they intentionally cause and error so that they can steal data at the service station. First, reliability is important to drivers. Second, that kind of infrastructure is not at all trivial to install and manage.

The data is collected through OnStar or Sync, apparently. These services come with cellular connections.

ECA (profile) says:


reading the article some form s are NOT wireless..
reliability?? not in this generation..After 5 years 1/2 the plastic in the engine are starting to fail.. Many cars you see it in the mileage changes..

And you dont pay for onstar? Sync?

You really think they only do the higher end, more expensive cars??
Im sorry, I HATE electronics in my car. And I believe the engine computer could do better, IF they didnt add restrictions to it..(yes they place restrictions in the programming)

Andyj says:

Like all this “data collection” Its all memory and no brains.

I have a Nissan Leaf (UK). The always on connectivity is merely 2G. I doubt detailed travel records are kept, only the maps I`ve sent to car. Most of these functions are two way, I can remotely put the heating on or tell it to charge. In response it lets me know what its up to.

However, setting the car to read out RSS used to return speed and location back to that server, it was highlighted almost immediately so they took it off.

Can see the eco/distances/number of trips used on the car but sadly not routes.

I have a third party apps that grabs the CANBUS data. Its better than the cars instrumentation.

There is a lot of interest in hacking cars and I`m not surprised after new German made cars have raced off and sent some politically unwanted people to their sudden and early deaths.

Anonymous Coward says:

I’m waiting for laws requiring cars to have all these tracking features built into them. Just like cellphones are required to have E911 tracking features. All in the name of safety and security, of course.

I’ve already witnessed first hand E911 GPS pings being sent to my cellphone and my GPS icon flashing. Despite the fact I had GPS option disabled in the phone’s settings. I’m certain similar backdoor over-ride commands will be built into cars too.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...