Data Security for Vehicles Connected to the InternetDo you drive a connected car? Do you ever wonder about the security of your data? If you don’t, maybe you should start, because the computer systems in your car are tracking how you drive, your speed, and whether or not you use a seat belt – and your vehicle has the ability to share that data wirelessly. Do you know who has access to all of that data? All of this connectivity can provide the convenience of real-time navigation, built-in emergency calling features, the ability to receive software updates over-the-air, but it also creates a security vulnerability for you.

Whenever a device is connected to the Internet, it must be protected from hackers who could gain access. Then there is always the chance of a data breech where your secure information might be compromised. Despite the example of the Jeep Cherokee whose onboard computer systems were hacked in a televised, controlled demonstration, hacking into a vehicle is still quite complicated and difficult, but not impossible. Automakers do not reveal what kinds of data they collect, and many are not clear on their privacy policies.

In an opinion piece in Computer World Magazine, author Johnny Evans wrote about the wort case scenarios with regard to connected cars and consumer privacy (or the lack thereof):

  • Hacked cars. Whether it is from thieves who hack into cars through the computer or DARPA researchers taking control of cars remotely, auto consumers have a whole new set of risks in exchange for the convenience of connectivity.
  • Maintenance bullies. Telematic sensors in the vehicle will let you know when your car needs to be serviced before it becomes a problem.
  • The long arm of the law. There are not many safeguards in place to prevent the abuse of the technology by law enforcement, which could issue you a parking ticket or a moving violation.
  • Insurance spies. Insurance companies could potentially collect hordes of data about you and set pricing that reflects what they know about you and your driving habits.
  • The data you could sell when you sell your vehicle. When you give away an old cell phone or laptop, you can clear all of your old data from it before passing it along. How do you wipe all of your existing data from your car’s computer before you sell the car to someone else?

In February 2015, Senator Ed Markey (D. Massachusetts) released the answers he received from a letter he had sent to 20 automakers quizzing them on the security measures they have taken to protect the car buyer’s privacy. The responses reveal that vehicles with a wireless connection could potentially be hacked and their critical systems accessed remotely. Markey’s survey, according to a story in Wired magazine, revealed that many automakers are collecting detailed location data from their cars and transmitting it insecurely. Markey tells us:

“These findings reveal that there is a clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle or against those who may wish to collect and use personal driver information. We need to work with the industry and cyber-security experts to establish clear rules of the road to ensure the safety and privacy of 21st-century American drivers.”

In May 2015, the members of the House of Representatives’ Energy and Commerce Committee followed up with even more detailed questions for 17 automakers and the National Highway Transportation Administration (NHTSA). In a statement the committee leaders wrote:

“Connected cars and advancements in vehicle technology present a tremendous opportunity for economic innovation, consumer convenience, and public health and safety. These benefits, however, depend on consumer confidence in the safety and reliability of these technologies. While threats to vehicle technology currently appear isolated and disparate, as the technology becomes more prevalent, so too will the risks associated with it.”

In response to the alarming vulnerability these queries have uncovered, Senators Edward Markey (D-MA) and Richard Blumenthal (D-CT) introduced legislation that would establish data security and privacy requirements for new passenger vehicles, while also informing consumers about the risk of remote hacking. The “Security and Privacy in Your Car Act of 2015,” also called the SPY Car Act, would also prohibit manufacturers from using the data they collect from consumers for marketing purposes without first getting consent from the consumer.

Tips for protecting your privacy in a connected car

An article in CIO magazine shares these four tips to secure your connected car:

  1. Make sure your car’s software is up-to-date. Outdated software leaves you more vulnerable to hacking.
  2. Do not “jailbreak” the car’s software. It voids the warranty and leaves the system vulnerable to hacking.
  3. Avoid plugging random devices into the car’s USB port, or the OBD2 diagnostic port.
  4. Before using a connected-car device or app, make sure it has been hardened before you use it.

The Electronic Privacy Information Center (EPIC) advocates for consumer data privacy, and they have urged the Transportation Department to do everything possible to protect driver privacy in connected cars.