As you welcome more connected devices into your home, you might accept that there is a certain level of risk involved. The fact that scammers and hackers are actively targeting this growing network of linked devices is common knowledge and taking steps to keep our personal data safe has become part of everyday life. However, there’s one device you may not consider when keeping tabs on your data security — your car.
Connected cars produce up to 25GB of data every hour, including information about the driver, the vehicle and passengers.
In 2019, the number of reported cyberattacks on connected vehicles was seven times higher than the same figure from 2016 with a 99% increase in incidents from 2018 alone.
The UK market for connected and automated vehicles is forecast to be worth up to £52 billion by 2035.
A Boeing 787 jet has about 6.5 million lines of code, while a standard connected car has about 100 million.
A 2019 cybersecurity industry survey found 62% of respondents think it’s likely that malicious attacks on their software or components will occur in the next 12 months.
When we talk about ‘connected cars’, this is essentially shorthand for vehicles that send data about the driver and internal systems back to the manufacturer over the internet.
The term also applies to actions the owner can perform with the car. These might include remote locking, linking up your smartphone to play your favourite tunes or even using an in-car app to pay at a toll booth.
While all these actions happen at the click of a button or touch of a screen, there’s a lot of complex programming required to make it seem so simple. A modern connected car uses more lines of code than a Boeing 787 and the Large Hadron Collider at CERN combined!
So, just how secure is all of this code? To give you an idea of how little needs to be interfered with to successfully hack people’s data, cybercriminals stole 380,000 people’s personal data from British Airways by changing only 22 lines of code out of hundreds of thousands.
Without the proper security to keep scammers out, discovering these changes is like finding a needle in a digital haystack.
While it certainly makes life easier, increased connectivity comes at a price. With the number of connected vehicles rising year on year, by 2026 100% of UK cars sold are expected to have this level of tech as standard.
From a personal data standpoint, this increases the number of ways in which your info is at risk to savvy scammers.
However, there is a financial incentive to this push towards complete connectivity. The market for connected and automated vehicles is forecast to be worth an eye-watering £52bn by 2035. This has prompted the government to introduce new cybersecurity standards for connected vehicles, but there are still areas of weakness.
So where are these key vulnerabilities in our increasingly connected cars?
Increased risk to personal data should be a very real concern for drivers. We’ve explored the existing vulnerabilities, giving you the inside track on the most commonly exploited security risks to be aware of.
Keyless theft or key hacking is when thieves attack the systems used to control the locking of the car, driving away without having to use the fob or put a key into the lock.
This remote approach to theft is most successful if the key is close to the car (such as on a table by the front door) and, shockingly, most often takes place when a car is parked outside the owner’s house while they’re at home.
When the key is near your car, it passively sends out the same signal that tells it to unlock, even if it’s still in your pocket or bag. Car thieves have figured out a way to scan for that signal and then hack it, to give them access to the car.
Here’s what to watch out for.
This approach is sometimes known as ‘relay theft’. Essentially, a thief can receive signals coming from your car key fob, even through windows and walls. The hardware they use tricks the car into thinking the key is nearby and unlocks the doors.
The process can take as little as 10 seconds.
This tech-savvy approach to car theft isn’t an outlier, in fact, it’s becoming the norm. Vehicle recovery firm Tracker claims that 92% of the cars it recovered in 2019 were taken without keys, up from 88% in 2018 which itself was a huge jump from 66% in 2016.
More apps that communicate directly with cars are being released all the time and this makes them a tempting target for criminals. If these applications have any vulnerabilities, they can allow for unauthorised access to your personal data and even features of the car itself.
A high-profile example of this came when Nissan had to shut down an on-board app after testing by security researchers revealed a serious vulnerability.
They were able to connect to the car via the internet and remotely control the car’s heated seating, fans, air conditioning and heated steering wheel. In an electric car, this can mean that the battery is drained without the owner realising.
This increased connectivity between devices (such as mobile apps and a car’s dashboard software) is something that it is tough for laws and regulations to keep up with.
To gain more insight into who is responsible for making sure our data remains safe, Uswitch spoke to Vanessa Challess, a Senior Partner at Tiger Law.
“The number one cybersecurity threat identified by the Information Commissioner’s Office ‘Technology Strategy 2018-2021’ are key threats to personal data collected, stored and transmitted by a range of organisations and the threats to infrastructure, networks and systems in addition to other industries as these continue to introduce “smart” features, for example, those in connected vehicles.”
“Currently, responsibility for these security concerns is apportioned between manufacturers of components through to the car manufacturers and retailers are being caught up too as those forming the contracts with purchasers.”
In certain scenarios, hackers are able to take control of safety-critical aspects of a vehicle’s operation. This means that some vehicles may contain vulnerabilities that allow hackers to access functions like steering control, braking and even turning off the engine.
This has serious implications that go beyond data security and into physical safety.
Cybersecurity researchers Charlie Miller and Chris Valasek proved this could be done when they remotely hacked into a Jeep Cherokee and interfered with its controls while it drove down a busy road from the comfort of a nearby apartment. They also discovered in subsequent tests that they could accelerate or slam on the brakes.
While this specific issue has since been patched by Chrysler, enterprising hackers are finding and exploiting new vulnerabilities in connected cars all the time.
By focusing on a car’s internal network, or CAN, hackers are able to not only access the control systems of the car but the safeguards too, which are set up to contradict any malicious commands. Without those protections in place, there would be nothing to stop someone telling the car to do anything they want it to.
Using your vehicle’s in-built apps means that it can track things like your location, entertainment preferences and even financial information. Many people also sync their phone with their car to use apps and entertainment systems, as well as share contacts for hands-free calls via the in-built speakers.
What you may not consider is that with each of these connections, there is increased opportunity for hackers to find a vulnerability and steal your data via remote access.
There are many ways for someone to hack your phone through an internet connection. From text message scams and spyware to more sophisticated methods like intercepting signals, it’s scarily easy for someone to get hold of your data if you don’t prioritise security.
Through apps with flawed security protection, Bluetooth and Wi-Fi vulnerabilities, they can use the same methods to gain access to your car and your data without you even knowing.
A more low-tech consideration, however, is what to do when you sell your car. It may be easy to forget but you must make sure you delete all of your personal data from the vehicle’s systems before parting with it.
If you don’t, you’re not only handing over the keys to your car but also whatever personal data you have stored.
Uswitch spoke to Jonathon O’Mara, a cybersecurity expert from CompareMyVPN who had this to say on what needs to be done to protect our data in increasingly connected vehicles:
“Even if basic privacy measures were put in place, we feel anonymised data can be easily matched with other elements to break down any attempts to promote user privacy. In addition, the car companies themselves can now collect huge swathes of rich personal data — mainly location-based and habitual movements. However, this also covers connected device activity such as calls made, messages and phone numbers, which for privacy-concerned individuals is quite alarming.”
“What we need is pressure from regulators and the cybersecurity industry to ensure that connected car data is both encrypted end-to-end to reduce any threat from a third party as well as what data is actually stored and kept.”
Although there is still a lot to be done to secure their increasingly connected vehicles, car manufacturers and regulators are taking threats to data privacy very seriously.
The British Standards Institute is working with experts in the car industry, big brands such as Jaguar Land Rover, Ford and Bentley, as well as with the National Cybersecurity Centre. Together they are developing guidance for those developing connected and automated car technology.
A range of automotive cybersecurity issues will soon be included in insurance policies too, so it’s best to check if your policy covers you for anything related and what to do if you fall victim to a malicious attack.
On staying ahead of the curve when it comes to securing connected vehicles, Future of Mobility Minister Michael Ellis has said:
“As vehicles get smarter, major opportunities for the future of mobility increase. But so too do the challenges posed by data theft and hacking. A robust cybersecurity standard should help to improve the resilience and readiness of the industry, and help keep the UK at the forefront of advancing transport technology.”
Follow our tips below to keep your car safe.
Don’t go overboard with the amount of connections and personal data you trust your car with — sticking to essential functions means you’re less likely to lose anything valuable.
Use steering or wheel locks, or other physical preventative measures to deter car thieves.
Keep the software in your car up to date by installing any security patches or new updates as soon as they become available. Think of software updates as staying one step ahead of the hackers.
Only download official apps from Google and Apple Stores. They are more likely to be trustworthy and will have been vetted to ensure that they meet a certain standard of quality and data protection.
Be mindful of app permissions. An app asking for access to data that isn’t relevant to its function is a red flag.
Use a fob blocker, metal-lined wallets and bags that work by restricting your fob’s signal. They are available from £5, but make sure to test it before you rely on it.
Clear all of your personal data from a vehicle before selling it to avoid handing over personal data to the next owner.
Check how your phone is running after downloading an app. Malicious apps tend to drain the battery really quickly as they operate unseen in the background. If left unchecked, once connected to your car, this could become a serious issue.
While this list isn’t exhaustive, it gives you the basics you’ll need to avoid becoming an easy target.
Ensure your car is protected with the best car insurance policy for you.