The future just pulled up in your driveway. Your new connected vehicle may be able to alert you to potholes in the road, point out traffic jams ahead, auto brake to avoid a crash, or even send weather data to a recording agency whenever you activate your windshield wipers. Features like remote start and the ability to unlock that car from a smartphone are high on consumer wish lists. However, experts say drivers will be at risk for more data theft if the evolution of smart cars continues without plans for data privacy and security.
Many 2017 cars come equipped with two connected systems. One is dubbed “infotainment.” It lets you surf the web, stream music, and provide passengers with entertainment. The other is the automobile’s vital systems that include starting and braking. Driver expectations like remote starting options connect the infotainment system to the “safety critical” systems. This connection triggers concerns because infotainment, up to this point in time, has received far less security scrutiny than critical systems. Both info and critical operations need robust security when they combine to complete a task.
These issues and those regarding driverless cars were the focus on June 28th when federal security regulators in Washington DC brought together automotive, privacy, and cybersecurity experts to discuss the many data safekeeping issues that accompany connected cars.
Rental cars have sparked some of the first words of caution. When your smartphone is synced to a rented unit, data is exchanged.
“It captures your entire contact list and all the rich data associated with that. Stores it on the vehicle. Now, it would seem to me to be priority to ensure that after the rental period was over that data was routinely deleted,” said Marc Rotenberg, spokesman for the Electronic Privacy Information Center (EPIC).
Dr. Miroslav Pajic of Duke University voiced concern about zero-day flaws—one unknown to the maker—in a manufacturer’s system that could allow hackers to take over hundreds of thousands of cars all at once.
“We have seen that in mobile computing, in medical devices, so it’s only a matter of time before we hear things of this sort (in connected cars),” he warned. “Once the hacker gets access to things inside the vehicle, they could wreak havoc.”
While the automotive industry has learned a great deal about wireless security from connected home devices and their checkered history, autos present a more complex picture for regulators. Here are some of the issues:
- Will collected data be shared with health or auto insurance companies?
- What about pre- or post-crash data?
- Will more cars come with auto-disabling switches, which are already used by certain lenders if borrowers are considered high risk?
- Could ransomware target automobiles?
- When you sell your smart car, can your GPS and other data be erased easily?
- Who actually owns the data—the carmaker or car buyer?
Most of these questions have no current answers. Consider that your car could track your heart rate, acceleration, braking patterns, and perhaps even your breath alcohol one day. It’s clear that the time for rapid planning has arrived.