Sen. Markey: Most Modern ‘Connected Cars’ Are Vulnerable to Hacking, Remote Exploits

Cars might be getting smarter and safer in the way they can protect their occupants and other road users, but they’re not protecting themselves.

That’s the message from Sen. Edward Markey (D-Mass.) who has released a study this morning warning that the majority of automakers today are woefully underprepared when it comes to securing their cars from hackers intent on stealing or controlling the latest high-tech cars on the market today. While modern cars with Internet-connected telematics and remote status querying make life easier and more convenient for owners of those vehicles, he warns, those very same technologies are putting car owners at risk.

Senator Ed Markey: we need better protection for modern cars.

Senator Ed Markey: we need better security on modern connected cars.

After seeing a terrifying demonstration from researchers last year in which hackers gained access to a car using its on-board telecommunications system, Markey set out on a quest to ask twenty different automakers what they were doing to secure their technology to ensure that customers cars couldn’t be hacked or exploited.

The results make for some terrifying reading.

While BMW, Chrysler, Ford, General Motors, Honda, Hyundai, jaguar Land Rover, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Toyota, Volkswagen-Audi and Volvo all replied to the questionnaire, Aston Martin, Lamborghini and Tesla didn’t even bother to respond.

Of those questioned, few were able to coherently and comprehensively respond to the Senator’s questions, while some “did not seem to understand” the questions being asked, Markey said, despite the fact that only three of the automakers questioned had models on their fleet without keyless entry systems or other ‘connected’ technologies in use.

Nissan were among some of the automakers who responded.

Nissan were among some of the automakers who responded.

“Drivers have come to rely on these new technologies, but unfortunately the automakers haven’t done their part to protect us from cyber-attacks or privacy invasions,” Markey said in a statement this morning. ‘Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected.”

The at-risk systems — everything from wireless tire pressure monitoring systems, Bluetooth handsfree, keyless entry, remote start, WiFi connectivity or cellular-connected telematics — are found in pretty much every mid-range car today. Yet of those who responded, half said they wirelessly transmit information about the car or its driving history to a data centre, often using a third-party provider in the process.

With most in-car navigation systems now requiring a driver opt-in in order to operate, many drivers are having data transmitted about them without really understanding what the data is or how it is transmitted.

Worst still, the majority of automakers couldn’t describe the way in which customer data was effectively secured.

Tesla declined to help Markey.

Tesla declined to help Markey.

Calling security measures “inconsistent and haphazard” from one automaker to the next, Markey says there is urgent need for a legal framework to be set up to ensure that automakers keep customers data — and their cars — safe.

“We need to work with the industry and cyber-security experts to establish clear rules of the road — not voluntary agreements — to ensure the safety and privacy of 21st-century American drivers,” he concluded.

For several years, we’ve seen demonstration videos of cars being hacked by security researchers, including this shocking video from DARPA-assisted researchers Charlie Miller and Chris Valasek, filmed back in July 2013.

That attempt relied on having access to the car from inside the vehicle. But as CBS’s 60-minutes showed last night however, DARPA — the U.S. Government’s military Defence Advanced Research Projects Agency — has now progressed to controlling a car wirelessly using its on-board telematics system.

Despite blocking off the distinguishing features, the car in question is clearly a Chevrolet Impala, a car which uses GM’s ONSTAR telematics and concierge service.

The hack, as the researchers detail, involves connecting to that ONStar connection and injecting malicious code into the car’s on-board data network, ultimately granting access to everything from door locks and radio settings through to speedometer messages, accelerator and braking and even power-assisted steering.

While there are no ‘in-the-wild’ reports of such attacks taking place in which hackers have gained access to a car remotely, the implications of being able to demonstrate such wide and varied access is truly scary.

BMW recently had to patch its ConnectedDrive software due to a massive security flaw.

BMW recently had to patch its ConnectedDrive software due to a massive security flaw.

The more advanced a car becomes, the more hackers can control it, perhaps even turning cars into remote-controlled agents of destruction.

We reached out to GM after seeing the video above, and were provided with the following official statement by Jennie Ecclestone, Arlington Assembly and Western Regional Communications for General Motors:

GM takes matters that affect our customers’ safety and security very seriously. We are taking a layered approach to in-vehicle cybersecurity and are designing many vehicle systems so that they can be updated with enhanced security measures as potential threats evolve.

This demonstration and other academic research showcasing controlled hacking situations has helped us to better understand how hackers may look at vehicles and how to improve hardware and software designs for current and future vehicles.

With regard to this specific demonstration, our team has assessed how the system in that particular vehicle was compromised and have determined a solution to remedy this vulnerability.

Of course, this isn’t the first time we’ve seen wireless connectivity used to access a car. Last summer, hackers in China managed to gain access to Tesla’s on-board telematics system in its flagship Model S electric sedan. Then last week, BMW was forced to release an emergency patch for its ConnectedDrive system following the discovery that it sent a lot of data between car and server ‘in the clear’ with no encryption.

[Hat-tip: Simon Zerafa]


Want to keep up with the latest news in evolving transport? Don’t forget to follow Transport Evolved on Twitter, like us on Facebook and G+, and subscribe to our YouTube channel.


Want to keep up with the latest news in evolving transport? Don’t forget to follow Transport Evolved on Twitter, like us on Facebook and G+, and subscribe to our YouTube channel.

You can also support us directly as a monthly supporting member by visiting

Related News