Today’s cars are essentially giant smartphones on four wheels. They can stream music, make phone calls and map out directions. What’s more, many cars also include systems that try to keep you in your lane and protect you from crashing into the vehicle in front of you.
But just like with your phone, these modern car conveniences can threaten your privacy and security.
“The software operating today’s vehicles easily have more than a 100 million lines of code — more than a modern fighter jet, airliner or typical operating system such as Windows,” says Peggy Smedley, president and editorial director of Connected World Magazine in Carol Stream, Illinois. “Because of all this code, it’s virtually impossible to prevent a hack.”
The amount of code is only expected to increase as cars become even more of an extension of our digital lives. Connected cars will soon be able to turn on your lights in your home, get the heat going and eventually drive themselves.
This technology is innovative, but also scary if the systems are easily hackable. Underscoring the risks, in 2014 a 14-year-old boy used $15 worth of electronics to unlock and start a car. The hack was part of a contest, and to date there haven’t been any known real-world hacking attacks against a car or its driver.
But the problem is real enough that Sen. Edward J. Markey, D-Mass., recently called for new standards to plug security and privacy gaps in cars and trucks, arguing that manufacturers aren’t doing enough. In a February report, Markey pointed out that nearly all of today’s cars include some wireless technology that could be hacked. He said most manufacturers were unaware of or unable to report on past hacking incidents.
“As consumers we want a connected world, but the fact remains, only by investing in a proven cybersecurity framework can connected cars be trusted on our highways, in our homes and in our offices,” Smedley says.
Identity theft threats
When it comes to the connected car, consumers face myriad risks from the entertainment systems embedded in their consoles.
Motorists could, for example, have their identity stolen based on data stored in the vehicle. The infotainment systems in many vehicles that provide navigation tools, hands-free calls and texting, and a host of entertainment options also store personal information, says Tony Anscombe, security evangelist at AVG Technologies, a San Francisco-based security company.
“Personal data such as the contacts synced with your phone may be stored within the car infotainment systems,” Anscombe says. “This carries the same risk as with any other device that is carrying personal data, which may give a cybercriminal the opportunity to steal and misuse this data for identity theft.”
The services you subscribe to in your vehicle — like streaming music or traffic updates — also may be susceptible to attacks. If your credit card or bank information is stored with the service, it could be compromised the same way consumers’ data have been compromised during data breaches at Target, Home Depot and other retailers.
You can keep an eye on your credit report for free at myBankrate.
Privacy also is a big concern. That’s because a GPS can track your location, where you stop on certain days of the week and even where you live. If that falls into the wrong hands, the bad guys can have a field day with your private information.
Markey noted in his report that customers are often not made aware of the data collection; if they do get the chance to opt out, it comes at the expense of disabling a valuable feature such as navigation.
Car hacks are a real future threat
Even more alarming than what nefarious people can do with the infotainment systems is what can be done remotely under the hood. Vehicle computers and sensors control acceleration, braking and steering. They can even turn on the windshield wipers.
Now consider what can happen if a bad guy hacks into that system. “While stealing personal identities might seem frustrating, imagine a hacker taking control of your steering wheel or your braking system while you are driving down a highway,” Smedley says.
The role of manufacturers
All of these risks might not seem realistic, but they can easily happen if automakers don’t harden the security built into their systems.
Geoffrey Vaughan, a consultant at Security Compass, a Toronto-based security company, says the first iteration of the connected car wasn’t built with security in mind, putting everyone in a vulnerable position. “The car makers assumed it was closed systems that would never be touched by anybody, and that’s not true,” Vaughan says. “The auto industry hasn’t given security a significant consideration.”
Wade Newton, a spokesman for the Alliance of Automobile Manufacturers, the Washington, D.C., trade group, says the industry agrees that strong consumer data privacy protection and vehicle security are “essential to maintaining the continued trust of our customers.”
He says the industry is in the early stages of establishing a voluntary automobile industry group for information-sharing and analysis of existing or potential cyber-related threats.
Markey has called for industry-wide standards that ensure all vehicles with wireless access points and data-collecting abilities are protected against hacking and data breaches. What’s more, he wants automakers to include measures to respond in real time to hacks and for drivers to know explicitly if data are being collected, transmitted and otherwise used. Markey also wants the industry to provide drivers with the option to opt out of data collection and to transfer driver information to storage outside of the car.
Be your own advocate
When it comes to the potential risks, there are a handful of things consumers can do to protect themselves. The most restrictive: You can wait to purchase a car until the security issues are worked out. “You want to let the product mature and develop over time,” Vaughan says. “Being an early adopter, you risk some blow-back. It’s going to take a while for this industry to mature” from a security perspective.
Experts also say you have to be your own advocate when buying a car. That means asking questions about the wireless technology embedded in the car and the level of security that prevents the car from a data breach or hack.
“The best thing to do is stay informed and ask a lot of questions,” says Beau Woods, a contributor to I Am The Cavalry, a website of security volunteers focused on the intersection of computer security and consumers’ daily lives.