Early in 2001, before I was even in the IT Security business, I saw a glimpse of the future. While at a CIO conference dinner, I started talking to a gentleman who was responsible for the IT infrastructure behind an emerging new service called OnStar. The conversation soon turned to the many challenges he faced—problems that were not readily apparent to the automobile industry, much less the general population.
He told me he was preparing for the first time OnStar would be subpoenaed to refute or corroborate a claim in court of someone being at a specific place at a specific time. This could easily happen in a “he said/she said” divorce case where one spouse said they were somewhere and the other said they were somewhere very different. He contemplated if OnStar would be able to provide geolocation data to pinpoint the person-in-question’s car at a specific time.
He fretted over the commercialization of the OnStar data, knowing that the phone companies had parlayed free or discounted phones into huge revenue streams because customers gladly sold their phone privacy souls to get the latest, shiniest technology. He noted there may come a day when an OnStar subscriber would climb into their car and start a well-traveled route to their neighborhood grocer. When the data indicated their probable destination, could OnStar alert the driver to specials at the store? If so, what would be the level of tolerance for this intrusion? Would the revenue realized offset losses from customers cancelling their service?
Fast forward to today. While walking to my car to get to my weekly Monday night gathering, my phone buzzed. It was an alert informing me of my current travel status and estimated driving time to the very spot I was now heading. I hadn’t requested that alert. Data based on my typical Monday night routine had been captured, stored, collated, and then used to extrapolate my destination.
As I stood in my driveway, my conversations with the gentleman from OnStar flashed into my mind. While it was not my car that had collected the data to communicate back to me, it very well could have been.
Of course, as I am completing the process of putting two children through college, my car is nearing vintage status and doesn’t have the connectivity increasingly standard in today’s vehicles. A recent study by the GSMA, “Connected Car Forecast: Global Connected Car Market to Grow Threefold Within Five Years,” says that 50% of vehicles sold worldwide in 2015 were connected (either by embedded, tethered, or smartphone integration) and every new car will be connected in multiple ways by 2025.
What fascinates me the most is the attitude of consumers. 62% of consumers are worried that cars will be easily hacked in the future, according to an RSA presentation from Kelly Blue Book. In their corresponding report “Braking the Connected Car: The Future of Vehicle Vulnerabilities,” one in three prospective car buyers say connectivity is a big factor in their decision. Furthermore, they claim that 62% of consumers are worried that cars will be easily hacked in the future. And yet, 44% of consumers feel that the vehicle manufacturer is responsible for securing a vehicle from hacking. So much being personally accountable for our own security.
Ever since some enterprising hackers remotely disabled the brakes on a Jeep and sent it into a ditch, there has been a lot of concern over the security of connected vehicles and the potential for compromise to critical systems. Then, when the actor Anton Yelchin was tragically killed when his own Jeep rolled unexpectedly, there was immediate speculation that his vehicle had been compromised. The accident was traced to mechanical failure, but the fact that compromise entered people’s minds is illustrative of growing awareness of the risks with connected automobiles.
Concern over potential brake failure is understandable, but I wonder if we are not asking enough questions about privacy. It stands to reason that if a car’s systems can be compromised to disable critical systems, then attacks can also be used to extract information. Similar to IoT, if data is being collected, data can be exfiltrated.
There are certainly trade-offs to having a connected car gathering data. For example, parents value the ability to know where their teenagers are going or how fast they drive. But what happens if the data fall into the hands of others? Do you want your insurance company to have that data? Sure, automobile manufacturers can use this real-time telemetry to improve their vehicles, but what steps are they taking to secure that data and anonymize it? To be clear, I am not accusing the manufacturers of carelessness; I am raising questions to start a dialogue. I know from experience that manufacturers are keenly aware of the issues and risks.
When you get down to it, your car knows a lot about you: where you go, when you go, how long you are there, the route you took to get there, the way you drove to get there, the temperature of the cabin, what entertainment you engaged in, and how long you were chatting on the phone (if you use Bluetooth). If you’re using it, quite a detailed record of your life is being collected and potentially transmitted somewhere.
That data may seem innocuous, but that doesn’t mean we should cede all concerns of privacy. We ask the same questions about Smart TVs, which listen into our world and collect data, so why not ask the same questions about our automobiles? Obviously safety is a huge concern, but it may also be time to consider privacy. If not, we could fall into the same trap we encountered with mobile phones—trading convenience and gadgetry for privacy.