In addition to finding "a clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle" or hackers who wish to "collect and use personal driver information," the report expressed concerns over how automakers track drivers' behavior and collect, transmit and store that information.
More from The New York Times:
Consumer Protection Agency Seeks Limits on Payday Lenders
A Prickly Partnership for Uber and Google
UncoveringSecurity Flaws in Schoolchildren Products
The report found that large amounts of data on driving histories are harvested, frequently without consumers being explicitly aware that the information is being collected or how it will be used. At least nine automakers use third-party companies to collect vehicle data, which can make consumers even more vulnerable, and some transmit that data to third-party data centers too.
"This reveals that a majority of vehicle manufacturers offer features that not only record but also transmit driving history wirelessly to themselves or to third parties," the report said.
The information collected includes where drivers have been, like physical location recorded at regular intervals, the last location they were parked, distances and times traveled, and previous destinations entered into navigation systems. A host of diagnostic data on the car is also captured.
Read More80 million records at risk in insurer hack attack
The findings in the report are based on information received from BMW, Fiat Chrysler, Ford, General Motors, Honda, Hyundai, Jaguar Land Rover, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Toyota, Volkswagen and Volvo. Aston Martin, Lamborghini and Tesla did not respond to the requests.
Technological innovations for vehicles are expanding rapidly: Safety features powered by radars, lasers and cameras are available in some vehicles and coming to more, and vehicle-to-vehicle communication — in which cars can share information — is expected to be available in the near future.
At the same time, connecting cars to the Internet means that more vehicles have smartphonelike interfaces that allow for new possibilities, but also carry inherent risks.
In November, two auto industry trade groups — the Alliance of Automobile Manufacturers and the Association of Global Automakers — tried to address consumer concerns by publishing a set of voluntary privacy principles aimed at limiting the use of vehicle data for marketing purposes. The principles called on automakers to collect information "only as needed for legitimate business purposes."
The report says the phrase "legitimate business purposes" is vague enough to allow for all kinds of collection, and asserts that clear federal rules should be established for what are permissible and appropriate uses of drivers' data.
Ford and Toyota declined to comment on the report. Fiat Chrysler and General Motors referred questions to the Alliance of Automobile Manufacturers.
Read MoreThink twice about using your hotel's Wi-Fi service
Wade Newton, a spokesman for the trade group, said "automakers believe that strong consumer data privacy protections and strong vehicle security are essential to maintaining the continued trust of our customers" and cited the November principles as a way that the industry was taking proactive steps.
"Auto engineers incorporate security solutions into vehicles from the very first stages of design and production — and security testing never stops," he said.
Auto companies post privacy policies in their owner's manuals and on corporate websites, he said, and they "pledge to provide heightened protections to the most sensitive types of consumer information — protections that go beyond similar principles in other industry sectors."