Cars Are Delivering Tons Of Driving Data To Manufacturers With Minimal Security And Even Less Transparency
from the introducing-the-2015-Lexus-CI dept
Nothing’s driving the acquisition of data faster than, well, driving. As new technology makes its way into vehicles, so does the apparent desire to harvest information about the vehicle itself. Between the outside harvesting (automatic plate readers that gather plate/location data, as well as photos of vehicle occupants) and the “inside” transmissions, there’s very little any number of unknown entities won’t know about a person’s driving habits. And that’s not even including what’s transmitted and collected by drivers’ omnipresent smartphones and their installed apps.
Sen. Edward Markey has expressed some alarm at the amount of data being collected (and distributed) by vehicle manufacturers. His office has produced a report [pdf link] showing that while many manufacturers are involved in collecting data, very few of them seem concerned about the attendant risks. Even worse, many respondents to his office’s questionnaire seem to show very little understanding of the underlying technology and most have not made an effort to fully inform customers as to how much is being collected or how it’s being distributed.
Drivers of today’s connected cars aren’t going to like the report’s findings.
Nearly 100% of cars on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.
While some basic security measures have been implemented, the fact remains that transmitting data always poses a risk. Three of the 14 manufacturers that responded to Markey’s questions had actually let their security measures stagnate or decrease from 2013 to 2014, even as the amount of data transmitted rose. Worse, many of the respondents deployed security measures in a “haphazard and inconsistent” fashion, and nearly all respondents seemed unable to fully process the questions posed by Markey’s office.
Of the 16 automobile manufacturers that responded to the letter, 13 of them addressed these questions in some way. Chrysler, Mercedes-Benz, and Mazda did not respond to the question at all, and five other manufacturers provided general responses that addressed the question as a whole instead of providing specific responses to the questions’ sub-parts.
Seven of the manufacturers stated that they use third-party testing to verify their security measures, while 5 stated that they do not and 4 did not respond to this part of the question.
The manufacturers were also asked about how they secure this type of software delivery [updates/patches]. Each manufacturer responded with descriptions of how they provide such software through authorized dealers with the appropriate tools. Automobile security experts consulted by Senator Markey’s staff said that all of the responses are similar in that they presume a malicious actor could not access or acquire the technologies that mechanics have. They state that software updates for systems should be cryptographically verified by the ECU being updated in order to effectively prevent intrusions.
These four-wheeled tracking devices are collecting and transmitting tons of data, including GPS location, sudden accelerations/decelerations, seatbelt usage, destinations entered into navigation systems, last location parked, distance and time traveled and a variety of information on other driving components. Almost all of this is transmitted back to the manufacturer for their own use.
Nearly 100% of 2014 vehicles record and transmit driving history. Most of these manufacturers could not provide a satisfactory answer as to how they secure this data during transmission and more than half store this information “off-board” at their own data centers. Manufacturers seem to consider “on-board” collections as inherently secure.
In the case of on-board storage, no manufacturer described any security system to protect that data, and several of them noted that no security measure is needed since accessing data would require a hardwire connection.
But that doesn’t mean they treat wireless transmissions with much more care.
Regarding security measures to protect data that is wirelessly transmitted outside the vehicle, only 6 responses were received. Of those, 5 provided vague responses naming encryption, passwords, or general IT security practices, and only 1 specifically mentioned that they designed their systems to limit the transfer of personally identifiable information.
Part of this is due to the fact that automakers’ security measures are purely voluntariy at this point. But the fact that it would likely take a federal mandate to improve security is disappointing. Not only are manufacturers less than forthcoming about how much data they’re collecting, but they’re apparently uninterested in providing a minimal level of customer service, i.e., proactively assuring these data transmissions are secure.
As for the data harvesting itself, manufacturers can’t seem to find a better justification for this than “improving the customer experience” — a phrase pretty much synonymous with “selling customers more stuff” or “collecting for collecting’s sake.” Most manufacturers retain this data for one to ten years, with only one manufacturer offering the option for users to delete their data at any time. But that single nod to customer agency is far outweighed by the general indifference shown by the rest.
Markey’s report finds that purchasers may be allowed to “opt out” of certain collections, but this often comes at the expense of certain functions. No manufacturer presents this information up front, preferring to hide it in owner’s manuals and terms of service agreements. The default should be “opt-in,” with upfront explanations of what, how and why data is collected. But that would lead to a dearth of information, and automakers, like many other private companies, prefer to gather data first and deal with the fallout later.
Although it goes unmentioned in Markey’s report, there’s also the question of how this data is handled when the government comes looking for it. Most of what’s collected would presumably fall under the Third Party Doctrine (with drivers “knowingly” turning this information over because of page 173 in the owner’s manual, etc.), which means it can be acquired by law enforcement/intelligence agencies with minimal effort/paperwork. There are also other government intrusions that need to be considered as well, like California’s desire to tie state-enforced emission standards to driving information already gathered by a number of manufacturers. Not only are manufacturers not guarding against having their collections hijacked by criminals, they seem equally unconcerned about safeguarding this vast amount of data from the government itself.