"It was mind-blowing," Brown said.
Anuja Sonalker, lead scientist for Battelle's cyber auto group, said that — just like the computer industry — automakers are rolling out technology first and security second.
"Malware surfaced a lot later than computer technology," Sonalker said. "We've built security as an after thought in all industries."
The Battelle CyberAuto Challenge is meant to keep the auto industry "on its toes," she said.
Sonalker also noted that critical vehicle systems, those that control braking or acceleration, could not be accessed remotely because there are physical firewalls built into CANs. "Automakers have done a good job with safety," she said.
Far from being upset, those from the industry who were in attendance at the academic challenge were pleased to learn of the security issues.
"The findings...were handed over to automakers so they can take it back to their engineers, and they've been happy with what was discovered," Sonalker said.
"Hopefully, this is something the auto industry understands: This means people are watching and we have to do a great job with new technology in putting all the protections in from day one," Sonalker said.
But Markey's report, "Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk," accused the auto industry of neglecting security and privacy gaps.
The report is based on responses from 16 major automakers to questions from the lawmaker about security and privacy vulnerabilities, and cited a 2013 Defense Advanced Research Projects Agency (DARPA) study. That study included two researchers who were able to connect a laptop to two different vehicles' computer systems using a cable, send commands to different electronic control units (ECUs) through the vehicle CAN. That allowed them to control the engine, brakes, steering and other critical vehicle components.
"Security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across all automobile manufacturers," the Markey report said.
In fact, most automobile manufacturers were unaware of or unable to report on past hacking incidents, according to the report.
Only two automobile manufacturers were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real-time, the report said, "and most say they rely on technologies that cannot be used for this purpose at all."
Sign up for CIO Asia eNewsletters.