Vulnerabilities in Connected Vehicles Raises Privacy Concerns

Addressing the Issue of Connected Vehicles

To address this growing issue, the Biden administration urges software manufacturers to prioritize security while developing their products, adopting a “security by design” approach akin to the airline industry’s focus on aircraft safety. While this shift is crucial, it poses challenges and potentially higher costs for the automobile industry, as stated by a computer security professional at the Harvard Kennedy School. The question arises: Do we prioritize affordability or the security of our vehicles loaded with convenient gadgets? The computer security professional’s perspective leans toward the latter, emphasizing the need for robust security measures.

Recent research underscores the magnitude of this challenge. Modern vehicles incorporate approximately 150 electronic control units overseeing various car systems and boast around 100 million lines of code. This number is expected to triple by 2030 as autonomous cars become mainstream, dwarfing the codebase of even the most sophisticated passenger jets, which use a mere 15 million lines of code. As the automotive industry rushes into the era of interconnected vehicles, these systems’ complexities and vulnerabilities multiply exponentially.

The threat of car breaching is not just theoretical; it’s a reality already played out. In 2015, researchers remotely accessed a Jeep Cherokee’s inner workings from miles away, causing the vehicle to lose power. This incident led the parent company to recall over a million vehicles to address the vulnerability. Before this, the same researchers had taken control of a Ford Escape and a Toyota Prius, all remotely disabling brakes and seizing control of the steering wheel. These incidents are alarming wake-up calls, reminding us that malicious actors can exploit our cars’ digital complexity.

Rising Privacy Concerns on Connected Vehicles

Beyond security concerns, there are alarming privacy issues associated with internet-connected vehicles. Many major car brands are failing to adhere to privacy and security standards in these new-age cars, according to Mozilla’s “Privacy Not Included” project. Carmakers like BMW collect extensive data about drivers, including sensitive information such as race, facial expressions, weight, health details, and travel history. Some data even includes a driver’s race and immigration status. The concept of a private space within a car is rapidly eroding as vehicles increasingly become data collection hubs.

Furthermore, much of this data often ends up in the hands of data brokers, marketers, and dealers. Partnerships with companies like SiriusXM, Google Maps, and OnStar further complicate the privacy landscape. This trend has led some experts to refer to most modern cars as “wiretaps on wheels,” emphasizing that the electronics drivers install to enhance their experience are also collecting extensive data on them and their passengers.

In response to these concerns, BMW claims to provide customers with comprehensive privacy notices regarding data collection, allowing drivers to make “granular choices” about what information is shared and asserting that they take measures to protect customer data. However, the broader issue remains, with questions regarding who ultimately controls and profits from the vast amounts of personal data collected by today’s connected vehicles.

The automotive industry’s evolution toward highly connected and technologically advanced vehicles presents both opportunities and risks. While the convenience and innovation these vehicles offer are undeniable, they come at the cost of increased cybersecurity threats and a loss of privacy. Striking a balance between security, affordability, and privacy is a pressing challenge that the industry must address to ensure the safety and trust of consumers in this new era of intelligent transportation.

At SpearTip, our gap analysis allows engineers to discover blind spots in companies that can lead to significant compromises by comparing technologies and internal personnel. We go beyond simple compliance frameworks and examine the day-to-day cyber function within companies. This leads to critical recommendations by exposing vulnerabilities in software and your people and processes. Identifying technical vulnerabilities inside and outside companies provides a deeper context to potential environmental gaps. Our tabletop exercises offer two types of tabletop exercises: Executive and Technical. Executive tabletop exercises are custom-designed to strengthen the collaboration among business leaders and promote a common understanding of how leadership teams respond to an incident. Technical tabletop exercises are designed to review current IR policies and procedures by engaging companies’ teams in specific scenarios that test their analytical and remediation capabilities in the event of an incident. All tabletops are based on threat actors’ most current tactics, techniques, and procedures and perceived gaps in your current IR plan. Following the exercise, we identify key findings, opportunities for improvement, and remediation steps to strengthen their ongoing security posture.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.