5 Privacy Worries on 4 Wheels: Staying Safe in the Connected Car Era

Opinion

As modern vehicles are upgraded to include Internet-enabled technologies designed to access, store, and transmit data for entertainment and safety purposes, consumers are presented with a double-edged sword. On one hand, these connected systems provide important convenience benefits for consumers, but on the flip side, motor vehicles are being exposed to a growing number of security and privacy risks.

As the market for connected cars continues to grow (an estimated $155 billion by 2022) and more semi-autonomous vehicles roll off assembly lines, the severity of security and privacy threats rises exponentially, becoming major concerns for both car buyers and manufacturers. Here are five of the top privacy issues associated with connected motor vehicles:

1. Leaking wireless information, much like smartphones

From Bluetooth capabilities to Wi-Fi access points to tire pressure sensors, these components add up to a unique fingerprint for each car that can be traced and potentially hacked. Couple this with the wireless signal a phone distributes, and malicious actors can not only track the vehicle, but also identify exactly who is inside.

2. In-vehicle data recording systems

The closest thing to an airplane’s “black box” in a car is its “event disaster recovery” system, which retains 12 seconds of recorded data prior to an accident. This mainly records acceleration, braking, and insurance-related information—seat position, weight of the driver, whether the seat belt was on, and so forth. This information is used by law enforcement and insurance agencies to get a better sense of what happened when the airbag was deployed and who was driving. While the importance and benefits of this data tracking are clear, it’s possible this system could be breached to allow a cyber attacker to pull this personal information.

3. “Infotainment” and navigation systems

Two perhaps lesser-known data collection systems in vehicles—infotainment units and navigation tools built into dashboards—log vehicle users’ GPS history, phone connections, contact lists, usage history, and even software developer logs. Perhaps most frightening is that these systems do not have industry standards that define what they should and should not record. The privacy implications are straightforward: attackers can potentially track down a target by breaching these “always-on” GPS systems. Not only is a vehicle operator’s digital safety at risk, but also his or her physical safety.

4. Telematics systems

These are the cellular connections linking back to the vehicle manufacturer or a third-party operator, typically used to call for help in case of an accident or if keys are locked in a car. Telematics systems record information and wirelessly transmit it to data-storage hubs located outside of the vehicle. Car owners are not usually given the option to opt out of this type of data collection.

5. Vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communication

This is the specific type of wireless communication used in newer cars that supports “advanced driver assist systems”—think collision warnings and automatic parking—and is one area that privacy has been taken into consideration during the product design process. V2V and V2I communication encrypts its data traffic with disposable keys so that the information is largely anonymous. While the sensors used for self-driving vehicles could be fingerprinted, the actual communication over these systems is protected.

While it may seem like consumers are subject to the mercy of manufacturers to ensure their privacy, there are a few things they can do to protect themselves. For instance, while vehicle operators do not have a lot of control over what their vehicle records about them, there still are opt-out options for some services. For example, Tesla has two levels of opting out: one that limits data collection (although there are still cellular communications), and one that forces Tesla to remove the SIM card entirely from a vehicle, preventing any sort of remote logging. Despite these two opt-out options, it is important to note that in-vehicle data recording will still occur.

The second method is to manually disconnect and replace specific components. For instance, vehicle owners can remove the telematics unit and replace it with an aftermarket radio. Those seldom directly connect to the vehicle’s network and often do not have features such as GPS. The swap will remove a portion of the vehicle’s default connections, making it more difficult for attackers to breach the system.

Finally, consumers should be wary of dongles they attach to their vehicles that allow them to do things like monitor the vehicle’s performance or locate it. While dongles are increasing in popularity, they have a cellular connection and talk directly to a vehicle’s network. These gadgets have few cybersecurity measures in place and can be easily compromised by an attacker. If a vehicle operator plans on using a dongle, he or she should not leave it connected for long periods of time.

The continued evolution and connectivity of devices—big and small—present a variety of benefits, but privacy and security implications must be addressed. Consumers can make smart, educated decisions that align with their personal levels of comfort. Attackers are getting more inventive every day in terms of data-stealing methods, and connected cars are just the next step in their well-calculated plans.

Craig Smith is the research director of transportation security at Rapid7, a publicly traded cybersecurity company with headquarters in Boston. He is based in Seattle. Follow @

Trending on Xconomy