Skip to content

Modern Cars Are Open to Hacking and Data Theft

Modern cars have become far more complex, and now an average vehicle may contain in excess of 50 electronic control systems, each collecting data on the car’s performance and using it to improve how the car drives.

Almost every one of these systems has a wireless data entry port, and experts have shown that all that is needed to hack into the car’s systems is a simple iPad. An investigation already under way in the US has shown that the big car companies are way behind in their efforts to close, or even acknowledge, these security loopholes. Indeed, the report produced by Senator Edward Markey suggests that almost every new car being sold today is vulnerable to hackers. 
 
Markey’s study investigated the 50 top car companies in the world and found that their approach to this security threat was ‘alarmingly incomplete and inconsistent’. It found that nearly all cars contained wireless systems that were vulnerable to hacking, but revealed that most car companies were unaware of any hacking activities or could not produce any reliable data on hacking incidents. The companies were also found to be haphazard and inconsistent in their attempts to prevent such unauthorised access, and furthermore they were themselves collecting such performance data and passing it on to third parties without their customers’ knowledge or consent. The report found that the car companies were collecting this data without explicitly telling their customers and were designing their systems in such a way that customers could not opt out of this data collection without disabling basic systems such as satellite navigation. Customers had little information on how their data was being used, where it was being stored and for how long it was being accessed. 
 
The issues of data security and privacy seem to have crept up on an unsuspecting car industry as an unintended consequence of the spread of electronic systems into our cars. In late 2014, the industry did attempt to provide a response, when two industry bodies, the Association of Global Automakers and the Alliance of Automobile Manufacturers, issued a joint statement that set out a voluntary code for principles of privacy protection in the motor industry. One suggestion in the voluntary code was to collect data only when it was needed for legitimate business purposes. Clearly, however, this is a rather vague statement, open to interpretation and even abuse. In any case, as it is voluntary, there is no onus on any car company to comply. 
 
Senator Markey said that current protection for car owners was inadequate in a number of areas, including not offering sufficient guarantees of transparency or choice. He added that drivers around the world had begun to depend upon these electronic systems, but he said that it was unfortunate that car makers had made little effort to protect their customers from the threat of privacy breaches and cyber-attacks. He also said that as the cars we drive have become far more connected than ever before, the technology systems that underpin them are still largely insecure and unprotected. 
 
Although the report has been produced in the US, it is just as relevant to drivers in the UK. The electronic systems in question are used by all of the major car firms and are included in those cars being built and sold in the UK. The senator’s report follows a TV programme in the US which showed a car being hijacked by hackers using a laptop. They were then able to remotely control basic systems, such as the car’s brakes and accelerator.
 
In the UK, meanwhile, there has been disquiet over the security of some keyless ignition systems. According to the police, criminals have been able to fool the system and gain entry to the car and drive it away without activating the alarm system. It is claimed that some insurance companies have been refusing to cover certain makes and models of cars that are particularly attractive to thieves and which make use of this system, such as Land Rovers. In these cases, drivers are being advised to deploy more basic security techniques, such as the good old-fashioned steering lock.

Posted by on

Back to February 2015

Back to top