Apps highlight emerging cyber risk for auto sector

08 January 2019

Cyber security firm Inside Secure recently warned about popular apps that allow drivers to control their cars from their smartphones, providing a new entry point for attackers.

Vehicle manufacturers frequently offer apps linked to cloud services that allow drivers to remotely interact with their cars; unlocking doors, operating security systems and tracking a vehicle’s location from their phones. Yet smartphones and apps may include vulnerabilities, which hackers can use to unlock a vehicle, start it up and drive it away. On some models, they could even pre-set the air-con and music for their trip, says Inside Secure.

This development is a major change for car companies, as the security of the car will now be determined by the security of the smartphone. When cyber security firm Kaspersky tested nine different car-connected Android apps in 2017, it found that most lacked even basic software defences.

According to Inside Secure, a malicious app, phishing email or the failure to update an app could all allow hackers to take control of a vehicle. If a hacker manages to compromise the app’s security, the attack could be replicated, granting control to tens of thousands of cars through the cloud service. Potentially, hackers could offer a service that unlocks an app user’s specific car on demand, the research firm warns.

In addition to vehicle theft, weak security could also result in physical damage or bodily injury. As cars become more automated, apps are likely to control more functions – some Tesla models allow the vehicle to be driven (slowly with absent passengers) using a smartphone.

VULNERABILITY

In 2015, cyber security researchers exploited several vulnerabilities – including the lack of secure separation between on-board systems - to remotely hack into a Jeep Cherokee. The researchers could control the brakes, radio, accelerator and windscreen wipers. The incident was one of the first examples of remote hacking a car, but researchers have uncovered other vulnerabilities since.

In 2018, cyber security researchers detected 14 separate flaws in several models made by BMW, including vulnerabilities in the telematics, entertainment and navigation systems. Another group also demonstrated how it is possible to hack into a car’s systems even when the ignition is switched off via electronic control units and phone apps. Models of VW and Tesla cars have also been shown to have cyber security flaws that make them vulnerable to hackers.

 Sign up to our latest  news & insights Sign up to our latest  news & insights

RECALL

Technical and cyber security faults could become an important driver for product recalls in the automotive sector. The 2015 Jeep Cherokee vulnerability resulted in Fiat Chrysler recalling some 1.4 million vehicles over cyber security concerns. In the same year, Ford recalled more than 400,000 cars in North America to fix a software bug.

According to Stericycle Expert Solutions, increased technology and connectivity will have an impact on recalls. The automotive sector is already one of the largest recall categories ahead of toys, with cyber security emerging as a new trigger for recalls. According to Stericycle, connectivity or tech related recalls have increased in the last two years. This is a reflection of increased connectivity, but also changing attitudes towards recalls – manufacturers are now more likely to recall vehicles for non-safety reasons.

DATA RISK

By 2040, autonomous vehicle sales are expected to exceed 33 million, representing more than one quarter of the market, according to business information provider IHS Markit. Gartner forecasts that about one in five vehicles on the road worldwide will be connected to the internet by 2020, amounting to more than 250 million connected vehicles.

More advanced technology in cars means huge volumes of data will be generated by vehicles - Intel predicts that an autonomous car could generate four terabytes of data in just 30 minutes, - and even transfer it to manufacturers and third parties. In the future, vehicles will hold a wider range of data gathered by sensors or preference settings. Much of this information could potentially be personal, such as; images, biometric, behavioural and location/geospatial data.

A majority (84%) of auto manufacturing executives expect data to become the fuel of future business models, placing greater emphasis on data security, trust and ownership, according to KPMG. According to another KPMG consumer survey, data security will be the number one purchasing criteria in the future. 8 in 10 consumers already say they would be wary of buying a car from a manufacturer that had been hacked, while some 70% of consumers are concerned that their vehicle could be hacked, according to KPMG.

PRIVACY REGULATION

The EU’s General Data Protection Regulation (GDPR), tough new data protection laws in force since May 2018, gives rise to new privacy liabilities for the automotive sector. As cars collect more and more personal data, manufacturers and component suppliers will need to employ the principal of Data Protection by Design. The GDPR will also have implications for how data is used and shared, for example with third party service providers and insurers. Under the GDPR, organisations will require the permission to store and process the data of consumers, who will also have the right to have data deleted.

The GDPR also raises privacy questions once cars are sold on. Personal data – such as satellite navigation data or mobile phone history - is stored by the vehicle or via apps. Earlier this year, a researcher showed that owners of Jaguar Land Rover cars were able to access the personal data from previous owners, collected via apps and stored in the cloud.

Download Cyber Decoder

For more information please contact Sarah Stephens, Head of Cyber on +44 (0)203 394 0486.