In an email blast to subscribers today filled with ominous warnings, Consumer Reports, the nation’s biggest consumer watchdog and advocacy organization, called on its members to write congress looking for more government-mandated security for car-based computer systems.
Citing a report released back in February by Senator Ed Markey (D-Mass.), Consumer Reports said “auto companies are failing to secure their wireless systems against privacy intrusions and, in some cases, even sharing personal vehicle information such as where drivers parked with third parties.”
CR asked its members (it has more than 6 million, and the note went to 1 million of them, CR says) to fill in a form letter that would automatically be sent to congress.
“Something this important should not be left to each auto maker on a voluntary basis. Just as seat belts are mandatory, so should computer security be mandatory. I strongly urge Congress to mandate standards to protect the data, security and privacy of drivers,” the form letter, signed by CR’s Vice President Chris Meyer reads, in part.
As for the timing of the note, William Wallace, policy analyst for Consumers Union, the advocacy arm of Consumer Reports, said in a separate email to me that "today's cars carry so much information, and have driving systems that are so interconnected, that we are concerned about their vulnerability to external attack," he said. "Although a vehicle being taken over remotely has not occurred outside a laboratory situation, we want to ensure this never happens on public roads. We also are quite concerned about the much more likely and feasible hacks of drivers' personal information through their vehicles' entertainment systems."
The full note—filled with dire warnings (“What if someone could take control of your car's brakes, steering system or instrument panel by hacking into one of your car's computerized systems?”) -- is below.
The issue of car hacking—especially worries that someone could remotely control braking and steering--has been around for years, but it has become increasingly high-profile as computers come to dominate the way vehicles operate. A report by FORBES in 2013--and an accompanying video that demonstrated two hackers wrestling control of a car from a reporter while he drove—helped set off a national discussion on the issue and helped prompt Sen. Markey’s investigation.
Not everyone, of course, thinks the issue is quite as grave. Writing a day after a 60 Minutes piece on the issue timed to coincide with the release of Markey’s report, Forbes Contributor Doug Newcomb reminded readers that while car computer security is very important, “there’s been only one case of a malicious car hack, and that was an inside job by a disgruntled former car dealer employee.”
Here's the full text of the note from Consumer Reports:
What if someone could take control of your car's brakes, steering system or instrument panel by hacking into one of your car's computerized systems?
It's not as far-fetched as you may think. Consumer Reports this spring visited labs at the National Highway Traffic Safety Administration where experts were doing just that to find the best ways to make your car more secure.
Today's cars use software and electronics to control everything from air conditioning to brakes, from seat belts to acceleration. Are those computers secure? Probably not secure enough, which is why we need your help right now to make sure your car safety is a priority.
Tell Congress to mandate the highest security standards for in-car computer systems!
Your car may have as many as 30 separate electronic control units, some of them built for wireless access. Hackers have shown that they can disconnect brakes, kill acceleration and more — although most hacks currently require direct, wired access to the car's systems. Even so, a lab technician turned off our test car while we were driving it -- from a cell phone.
While most experts agree that car hacking today isn't easy, they also agree that the real question is not 'if' but 'when.' Faced with evidence from investigative reporters, digital security firms and the military, the auto industry has issued voluntary security standards for manufacturers.
But shouldn't something this important be mandatory? After all, you've seen the damage hackers can do to your financial and personal security because strong protections weren't in place. Make sure your car isn't next.
Tell lawmakers: All onboard auto computer systems should be built to the highest, enforceable security standards.
Most cars built in the past two decades have computers that manage important engineering functions. This likely affects most everyone you know who owns a car, so please take action, then share this with them.Thank you for everything you do!
Sincerely,
Chris Meyer,
Vice President, Consumer Reports
101 Truman Ave
Yonkers, NY 10703-1057
