Convenience vs. security: The risk of connected vehicles

In January 2023, researchers made the public aware of API vulnerabilities associated with nearly 20 automotive-related manufacturers and associated services – some of which potentially exposed customers’ personal data. This has made the industry to step back and ask: what else might we be exposing as our cars are increasingly more connected with systems outside of our control? What risk(s) do connected cars present to consumers?

Connected cars are a veritable repository of our personal information
To understand the gravity of the question, it’s best to unpack what information our cars have on us. The purchase process, conducted via a dealer, broker or through the manufacturer themselves (e.g., Tesla) captures nearly all of the available personally-identifiable information (PII) and financial data from a consumer. This information is maintained in accordance with applicable regulations and standards, but shared among the dealer, manufacturer, financial institutions and any associated marketing, data analytics and/or business development apparatuses. Each entity that obtains this information has the potential to expose it to unauthorized parties. This, however, is more about the connected nature of who we are as consumers than our cars themselves.

The simpler days of physical security concerns
In the late ‘90s, General Motors’ vehicles began arriving on dealer lots with new telematics and communications systems that revolutionized safety and security for buyers. The marketing copy practically sold itself; if the car was involved in an accident, the OnStar system would contact emergency services automatically. Stolen car? OnStar could relay location data to law enforcement and, in some cases, even remotely disable the vehicle. So popular was OnStar that other manufacturers scrambled to incorporate similar technologies across their vehicle lineups.

Through the lens of information security and privacy, it’s not hard to imagine how such a system could be compromised – several instances of which have found their way into movies and television. (A tangential thought exercise exists regarding the potential dangers of telling stories featuring actionable strategies for compromising real-world security systems is briefly entertaining). Given appropriate access to the system, a bad actor could track a vehicle as it makes its way between the owner’s home, place of work, etc. It isn’t necessarily a hoodie-wearing hacker in a basement who is the most common potential threat in this space; an angry ex-partner, still authorized to interface with the system or even still in a position of ownership of the vehicle, could be given data consistent with established protocols they use for nefarious or even violent purposes. No violation of the terms of use or external compromise of the system is required in such cases.

What would stop a disgruntled – or mischievous – employee at OnStar (or its competitors) from remotely disabling a vehicle without cause? Or leaking the data gathered by the system to interested parties? Is there a non-zero chance of an operator accidentally selecting the wrong command in response to a reported event?

These questions have been given oxygen for more than 20 years. By all outward appearances, actual, documented cases of compromise of these emergency communications and telematics systems have been exceedingly rare. Regulatory and market pressures necessitate such organizations have strict controls on access and the circumstances under which emergency services are engaged. The path of least resistance for the most common would-be attackers lies elsewhere.

An exploding attack surface
‘Elsewhere’ in today’s society exists in our pockets; smartphones are a treasure trove of data that can be acted upon directly by bad actors. Given the distributed nature of the internet and the widespread adoption of services where all information is stored and processed on systems outside of our control or access – not the devices molecularly bonded to our palms – a bad actor need not bother with physical access to our devices or our cars to get what they need.

Apple, Google, etc. all have invested a magnificent amount of effort into implementing controls on their products, data centers and in their operating systems to mitigate such risk to consumers, but those consumers demand increasing integration between devices (and vehicles); most folks prefer Apple CarPlay or Android Auto, which make the vehicle an extended interface to the occupants’ smartphone. The mechanisms that allow such integration to happen also increase the attack surface for motivated attackers.

Anyone who’s purchased a used vehicle and found someone else’s device still listed under Bluetooth settings has – at least briefly – thought about what it means to connect a smart device to an automobile’s infotainment system and not properly expunge the data before parting ways with the vehicle.

Regarding Bluetooth, manufacturers such as Tesla have found favor with consumers in incorporating functionality for recognizing an authorized smartphone as a ‘key’ for access to the vehicle and even to begin operating the vehicle. Not long ago, we carried multiple physical keys on a key ring, jingling away in our pockets before we jammed one of the keys into a lock cylinder to unlock the door, then another key into an ignition cylinder to start the engine. From there, we moved to key fobs to unlock the door, then fobs that could remain in our pockets while we drove off comfortably – no keys at all. Smartphone as key fob? Sign us up.

Researchers recently made Tesla aware of a vulnerability where a simple Bluetooth relay device could bridge the distance between where the owner of a vehicle is with their smartphone and where their car is parked – potentially up to hundreds of feet away.  When notified, Tesla’s response was essentially, ‘this will always be a vulnerability.’

Convenience comes with a cost
An underlying theme throughout these concepts is simple and irrefutable: convenience comes with a cost. To make our vehicles easier for authorized individuals to operate, we potentially make them easier for compromise by unauthorized individuals. As we move closer and closer to commercially-viable autonomous vehicles, it behooves us to recognize that when we surrender our control, there may still exist opportunity for bad actors to take control from the vehicle, leading to scenarios from the innocuous (inaccurate navigation) to potentially dangerous (single- or multi-vehicle kinetic events).

© Nuspire | https://www.nuspire.com/

As we accept the inclusion of in-cabin listening (and viewing) devices, we surrender a bit of our privacy. First, to the systems and organizations directly connected – including the telematics and communications systems that, ostensibly, exist for our safety and security. Second, to each of those organizations’ associates for data analytics and business development purposes. Several years ago, when caught capturing voice data through their televisions, Samsung feebly replied to its consumers by stating that owners should ensure they do not have sensitive conversations in the presence of their television – powered off or otherwise.

Our cars are entirely capable of listening to occupants now as well. At the risk of veering uncomfortably close to conspiracy theory, it should be considered that while GM, Tesla, BMW, et al likely have no concern over your discussions, such information shared for marketing purposes could eventually be impactful. Or actionable, if intercepted by bad actors.

Connected cars are tremendously popular and convenient, and everyone has their own risk calculus. The best advice is as it’s always been – trust but verify and take only the risks you’re willing to accept.