A recent report by global market analysts McKinsey has estimated that by the end of the next decade, the use of in-car data, in-car internet, and in-car online services could be worth as much as $75-billion every year. That’s a massive chunk of change, and one that car companies are already scrambling to stake a claim to. Renault announced at the Paris motor show last month that it was going to collaborate with a French media company to create and curate its own in-car infotainment streaming service, designed specifically to entertain those using shared, autonomous cars. Skoda, just last week, announced that it was going to give its Irish customers a month’s worth of free data, so that they can start using in-car connected systems.
All of which sounds great….
Should we be wary?
Yes, of course we should…
Sean McElligott, partner and head of the Technology Group at leading Dublin law firm Philip Lee has warned Motorcheck that: “Modern cars are jam-packed full of features to make our lives easier and safer, such as lane control, adaptive cruise control, navigation and infotainment systems. All of this convenience has been shown to result in the generation of enormous amounts of data, which some estimates put at 25GB of data per hour – the equivalent of 125,000 Word documents or 100 hours of video. Depending on the nature of the technology used in your modern car, this sensitive information could be accessible or made available to a number of interested parties including the car manufacturer, mobile network operators, in-car system providers and the cloud service providers who store the data.”
Is this not personal data?
Theoretically, all of that data is personal, and protected under the terms of the recent GDPR legislation, but McElligot has sounded a warning that some of the data might not be strictly speaking personal (such as information about how you’re driving and which car systems you’re using) and could fall outside of GDPR regulations. “It is clear that in this brave new world of connected cars, nobody is quite sure where we are going” said McElligot. “However, from a legal perspective, car owners must be informed of all the various personal data that are being collected and the uses to which it may be put – without this, the manufacturers are exposing themselves to investigations from the Data Protection Commissioner as well as litigation from disgruntled customers.”
Are there other concerns?
The other major worry, of course, is that of security. Perhaps we should be wary of security warnings from Russian companies right now, but one major player in the cyber-security world, the Russia-based Kaspersky, has warned that it has found a way to access the door locks and ignitions of cars via hacked phones using Google’s Android operating software.
Many car makers are now using mobile phone apps that allow owners to check the status of their car remotely, including checking to see if the doors are locked and if the lights are on. Some apps also allow the car to be remotely unlocked and started, and it is in these apps that Kaspersky claims to have found weaknesses.
The firm’s researchers tested seven different apps, some of which have been downloaded as many as five-million times. Some of the issues discovered included apps that were defenceless if an experienced ‘hacker’ found access to the underlying code and began to either reverse-engineer it or incorporate their own malicious software into it. They were also able to ‘overlay’ extra windows, which allowed them to fool users into entering their security data into a window that was in fact sending that data to a third-party source. Some apps even forgot to encrypt users names and passwords, storing them in ‘plain text’ within the app.
Cyber attacks are a real concern
“The main conclusion of our research is that, in their current state, applications for connected cars are not ready to withstand malware attacks. Thinking about the security of the connected car, one should not only consider the security of server-side infrastructure. We expect that car manufacturers will have to go down the same road that banks have already gone down with their applications. Initially, apps for online banking did not have all the security features listed in our research. Now, after multiple cases of attacks against banking apps, many banks have improved the security of their products. Luckily, we have not yet detected any cases of attacks against car applications, which means that car vendors still have time to do things right. How much time they have exactly is unknown. Modern Trojans are very flexible – one day they can act like normal adware, and the next day they can easily download a new configuration making it possible to target new apps. The attack surface is really vast here,” said Victor Chebyshev, security expert at Kaspersky Lab.
IT Industry advice
The Lab’s advice to customers is to keep their apps up to date with the latest versions, to ensure the best possible security, not to ‘jailbreak’ the phone as this opens up extra avenues to hackers, not to install any apps that do not come from an official app store, and (not surprisingly as Kaspersky sells such things) to install a ‘proven security solution’ from an expert provider.
Professor Tim Watson is director of the Cyber Security Centre at the University of Warwick in the UK, and has just set up a full-size vehicle simulator which will allow his team to subject a huge variety of cars to cyber-attack to put their security systems to the test. He told Motorcheck that the most likely forms of future attack on cars were identity theft and holding the car’s systems to ransom, threatening to shut everything down if cash is not paid. “We see ransomware on PCs and we can see it on cars so we do need to make sure that they are resistant to those kind of exploits” he said.
In-car data security will have to intensify
However, he’s sympathetic toward the plight of the car makers as they feel their way into a new world of electronics and security. “They have issues. Every time you add an extra bit of physical kit, it affects the miles per gallon, it may well affect the emissions of the car the way that we measure the success and the value of a car perhaps needs to change to allow the car makers the space they need to include a bit of extra kit or whatever they need. In general they are now aware of the problem and are are struggling and making sometimes disjointed efforts to change the way that they develop cars in order to make sure that cyber security is ‘baked-in’ to that process. We will get there, I think some manufacturers are taking it more seriously than others, and often it’s the ones who’ve suffered the reputational damage already who suddenly start taking it much more seriously.”