U.S. senator seeks information on carmaker efforts to thwart hackers

Reuters

By Jim Finkle

BOSTON, Dec 3 (Reuters) - A U.S. senator has asked 20 of theworld's biggest automakers for information on how they securetheir vehicles from cyber attacks, in light of reports bysecurity experts who say they have identified ways to hack intocars.

Edward Markey, a Democrat from Massachusetts, asked thecompanies to respond to a series of questions including how theytest electronic components and wireless networks to make surethat attackers cannot gain access to onboard networks. He citedrecent research by security experts who uncovered cybervulnerabilities in cars that they said hackers might be able toexploit to cause them to crash.

The letter, dated Monday, also asked about measures thecarmakers take to ensure the privacy of information collected byautomobile computer systems.

"As vehicles become more integrated with wirelesstechnology, there are more avenues through which a hacker couldintroduce malicious code and more avenues through which adriver's basic right to privacy could be compromised," Markeysaid in the letter.

"These threats demonstrate the need for robust vehiclesecurity policies to ensure the safety and privacy of ournation's drivers," he added.

Recipients of the letter included BMW, ChryslerGroup LLC, Ford Motor Co, General Motors Co, Mazda Motor Corp, Toyota Motor Co andVolkswagen AG.

The Auto Alliance, an industry group whose members includethose seven companies, released a statement on Tuesday sayingthat automakers were reviewing the letter.

"Auto engineers are incorporating security solutions intovehicles from the first stages of design and production, andtheir security testing never stops," the group said in thestatement. "Vehicle hardware has built-in security features thathelp protect safety critical systems, and auto control systemsare isolated from communications-based functions like navigationand satellite radio."

Concerns that hackers could attack cars with potentiallylethal results have been growing for several years.

A group of U.S. computer scientists startled the industry in2010 with research showing that viruses could take control ofcomputers running car brakes, lights, locks and other systems. Ayear later the same researchers identified ways to remotelyinfect cars over Bluetooth and other wireless systems.

They kept the details of their work a closely guardedsecret, declining to identify the manufacturer of the car theystudied. ()

The National Highway Traffic Safety Administration respondedby beginning an auto cybersecurity research program.

"While increased use of electronic controls and connectivityis enhancing transportation safety and efficiency, it brings anew challenge of safeguarding against potentialvulnerabilities," the agency said in a statement onTuesday. "NHTSA recognizes these new challenges but is not awareof any consumer incidents where any vehicle control system hasbeen hacked."

Researchers have recently begun going public with detailsabout vulnerabilities in automobiles in a bid to pressuremanufacturers to boost security.

This past summer at the Defcon hacking conference in LasVegas, security experts from the United States and Europereleased detailed research describing cyber vulnerabilities incar models from at least three manufacturers.

The letter from Markey cited one of those presentations inhis letter, a study by researchers Charlie Miller and ChrisValasek that was funded by the Pentagon's Defense AdvancedResearch Projects Agency.

The two released a 100-page White Paper detailing theirfindings, which included ways to force a Toyota Prius to brakesuddenly at 80 miles an hour (128 kph), jerk its steering wheel,or accelerate the engine. They also described a method fordisabling the brakes of a Ford Escape traveling at very slowspeeds, so that the car keeps moving no matter how hard thedriver presses the pedal.

Markey said he believed that automakers had played down theseverity of its findings.

Stuart McClure, chief executive of Cylance Inc and an experton auto security, said that while onboard computer systems arevulnerable to hacking, they do not yet present much risk to theaverage driver. Such attacks are far more cumbersome to engineerthan ones on PCs, he said.

But he said that the government ought to look into howautomakers secure data that customers provide them whenobtaining leases and loans.

"If I want to get a whole bunch of social security numbersand private data, I'm going to hack into their corporate serversand gain access to the data belonging to the millions of peoplewho ever got a car from them," he said.

View Comments