One of the big questions surrounding driverless cars is data; how secure is it? New research from Uswitch has revealed some interesting findings;
- 67% of new cars that are registered in the UK are ‘connected’, with projections showing this will rise to 100% by 2026.
- Connected cars produce up to 25GB of personal data every hour, including data about the driver, the vehicle and passengers.
- In 2018, the number of reported cyberattacks on connected vehicles was six times higher than the same figure from 2014.
- The UK market for connected and automated vehicles is forecast to be worth up to £52 billion by 2035.
- A Boeing 787 jet has about 6.5 million lines of code, while a standard connected car has about 100 million.
- A 2019 cybersecurity industry survey found 62% of respondents think it’s likely that malicious attacks on their software or components will occur in the next 12 months.
When we talk about ‘connected cars’, this is essentially shorthand for vehicles that send data about the driver and internal systems back to the manufacturer over the internet. The term also applies to actions the owner can perform with the car. These might include remote locking, linking up your smartphone to play your favourite tunes or even using an in-car app to pay at a toll booth.
So, just how secure is all of this code? To give you an idea of how little needs to be interfered with to successfully hack people’s data, cybercriminals stole 380,000 people’s personal data British Airways by changing only 22 lines of code out of hundreds of thousands.
Without the proper security to keep scammers out, discovering these changes is like finding a needle in a digital haystack.
Watch a Range Rover being stolen in 60 seconds here;
Connected Cars Are Here to Stay – What Are The Risks?
While it certainly makes life easier, increased connectivity comes at a price. With the number of connected vehicles rising year on year, by 2026 100% of UK cars sold are expected to have this level of tech as standard.
The market for connected and automated vehicles is forecast to be worth an eye-watering £52bn by 2035. This has prompted the government to introduce new cybersecurity standards for connected vehicles, but there are still areas of weakness.
Keyless vehicle theft
Keyless theft or key hacking is when thieves attack the systems used to control the locking of the car, driving away without having to use the fob or put a key into the lock. It is something that car insurers are well aware of, as professional thieves target particular makes and models.
This approach is sometimes known as ‘relay theft’. Essentially, a thief can receive signals coming from your car key fob, even through windows and walls. The hardware they use tricks the car into thinking the key is nearby and unlocks the doors. The process can take as little as 10 seconds.
This tech-savvy approach to car theft isn’t an outlier, in fact, it’s becoming the norm. Vehicle recovery firm Tracker claims that 92% of the cars it recovered in 2019 were taken without keys, up from 88% in 2018 which itself was a huge jump from 66% in 2016.
Weaknesses in connected mobile apps
More apps that communicate directly with cars are being released all the time and this makes them a tempting target for criminals. If these applications have any vulnerabilities, they can allow for unauthorised access to your personal data and even features of the car itself.
A high-profile example of this came when Nissan had to shut down an on-board app after testing by security researchers revealed a serious vulnerability. They were able to connect to the car via the internet and remotely control the car’s heated seating, fans, air conditioning and heated steering wheel. In an electric car, this can mean that the battery is drained without the owner realising. There is an obvious issue of duty of care arising from such malicious actions – manufacturers have to prevent such hacking of course, and if a recall is issued, insurers should ideally make sure that their policyholders know, or are reminded of their responsibility to have complex systems re-calibrated and checked when a recall is issued.
To gain more insight into who is responsible for making sure our data remains safe, Uswitch spoke to Vanessa Challess, a Senior Partner at Tiger Law.
“The number one cybersecurity threat identified by the Information Commissioner’s Office ‘Technology Strategy 2018-2021’ are key threats to personal data collected, stored and transmitted by a range of organisations and the threats to infrastructure, networks and systems in addition to other industries as these continue to introduce “smart” features, for example, those in connected vehicles.”
“Currently, responsibility for these security concerns is apportioned between manufacturers of components through to the car manufacturers and retailers are being caught up too as those forming the contracts with purchasers.”
Directors Liability anyone? How about commercial cyber insurance; does your policy cover data leaks via a company car, or phone system within that car?
Remotely taking control of vehicles
In certain scenarios, hackers are able to take control of safety-critical aspects of a vehicle’s operation. This means that some vehicles may contain vulnerabilities that allow hackers to access functions like steering control, braking and even turning off the engine.
This has serious implications that go beyond data security and into physical safety.
Cybersecurity researchers Charlie Miller and Chris Valasek proved this could be done when they remotely hacked into a Jeep Cherokee and interfered with its controls while it drove down a busy road from the comfort of a nearby apartment. They also discovered in subsequent tests that they could accelerate or slam on the brakes.
While this specific issue has since been patched by Chrysler, enterprising hackers are finding and exploiting new vulnerabilities in connected cars all the time.
By focusing on a car’s internal network, or CAN, hackers are able to not only access the control systems of the car but the safeguards too, which are set up to contradict any malicious commands. Without those protections in place, there would be nothing to stop someone telling the car to do anything they want it to.
Theft of personal data
A more low-tech consideration, however, is what to do when you sell your car. It may be easy to forget but you must make sure you delete all of your personal data from the vehicle’s systems before parting with it.
If you don’t, you’re not only handing over the keys to your car but also whatever personal data you have stored.
Uswitch spoke to Jonathon O’Mara, a cybersecurity expert from CompareMyVPN who had this to say on what needs to be done to protect our data in increasingly connected vehicles:
“Even if basic privacy measures were put in place, we feel anonymised data can be easily matched with other elements to break down any attempts to promote user privacy. In addition, the car companies themselves can now collect huge swathes of rich personal data — mainly location-based and habitual movements. However, this also covers connected device activity such as calls made, messages and phone numbers, which for privacy-concerned individuals is quite alarming.”
“What we need is pressure from regulators and the cybersecurity industry to ensure that connected car data is both encrypted end-to-end to reduce any threat from a third party as well as what data is actually stored and kept.”