Connected Cars Both Best Friend and Worst Enemy, Warns BlackBerry

Automobiles are quickly becoming data collection devices and, with that transition, comes a new set of rules, consumer expectations and even regulations like GDPR.

It’s a challenge that social media, app developers and smartphone manufacturers are still grappling with – and now automakers must do the same. “GDPR is throwing a shockwave of data awareness, both in consumers and also the people that are collecting data,” said Charles Eagan, chief technology officer of BlackBerry. “I think everyone that’s collecting personal data is now thinking a little bit more actively about what is personal identifiable information. The more data sources you get, the more information you are able to gain from the correlation of many sources of data.”

That’s where the car begins to enter the fray. It serves as another data point – where you are, where you’ve been and where you’re going – that could indicate a pattern and, intentionally or not, make it easier to identify those using the vehicle. “I think when people think about GDPR, there’s an abstract understanding,” Eagan explained. “The people that are collecting your data have a responsibility to describe what they’re collecting and why they’re collecting it, and I think they have a responsibility not to retain that data. From a connected device perspective, the automobile is sort of a super special elite class of that.”

End of privacy as we know it

It is possible that automobiles will invade our privacy in ways consumers don’t realize or even expect. From the wide array of sensors designed to make sure the driver is awake to voice recognition software used for control and convenience, cars could become the ultimate spying device. There are even start-ups looking to add cameras to analyze the health and comfort of occupants. “I think it’s a massive threat vector,” said Eagan. “I think a plea for security standardization is important too. When you say something is secure and private, we almost need an ingredients label.”

That label could include information about OS security, encrypted communications, and mechanisms for responding to security threats in timely manner. Whether or not carmakers or their partners would be willing to share those details is a whole other story. “I think we’ve already seen some cases where newly connected features in cars have become attack vectors,” Eagan added. “This is how a lot of the exploits have been happening.”

For many years, consumers have shown a willingness to accept a degree of invasive technology in exchange for products or services they desire but like any other data collected in the car, these features are not impervious to attack.

Remnants of personal data

One of the other leading concerns involves what information stays behind when a consumer exits a car- or ride-sharing service. Eagan stressed the importance of making sure there isn’t a footprint that allows the next person to reverse engineer the data of previous occupants. “With the services that get delivered via automobiles, it becomes a container of connected information, so a lot of that GDPR awareness would come into the connected devices in the vehicle,” he said. “We need to be very careful about all aspects.”

Reverse engineering is one danger but automobiles also feature ports for devices (USB) and diagnostics (OBDII). There have been some discussions around the need to eliminate those ports to improve safety but that might not be the most effective or consumer-friendly solution. “Some of it is user awareness,” said Eagan. “Some of it is, how do we expect and contain these vulnerabilities? Even today, forget the car – if you throw 10 infected USB drives in a parking lot, you’ll probably successfully get in most companies. You send a phishing email across, asking people for their passwords, you’ll get it. You don’t even have to be that clever.”

Too much information?

Similar problems could arise when phishing schemes are delivered directly through a vehicle. If a malicious threat actor is able to spoof or breach the messaging system in any way, drivers – even AV ride-share passengers – could be duped into sharing too much. “The attack vector could be to ask someone for personal information,” Eagan warned. “And because it’s coming through your infotainment system, you think, ‘Oh, it’s legit.’”

If and when occupant information falls into the wrong hands, those affected won’t necessarily care how it happened. Some info can be changed (ex: user names, passwords or credit card numbers) but there are other things that are a bit more permanent.

GPS data, for example, could allow a hacker to easily figure out when a person leaves for work. Aside from moving, changing jobs or choosing to work from home, that data is likely to remain long after the security breach is patched. “Once it’s happened, it’s very hard to take it back,” said Eagan.