Data Protection Goes On A Road Trip: Attractions And Bumpers

Air-cooled and automated braking systems used to be a luxury option, and now they are the norm. The same is happening with connected cars; the global market for connected cars is predicted to triple from 2020 to 2028. The current target customers are car owners seeking experiences like entertainment or extra services like stolen vehicle tracking vs. simply getting from A to B. (Although getting from A to B may one day require connectivity as well if self-driving cars become the standard.)

When over a third of the top cyber attacks in automotives are data breaches, protecting this data becomes an important issue to address both legally and technologically. Read on to understand what kind of data is being collected, how vulnerable this data is, what makes protecting this data complex, and why data protection in automobiles should be a requirement as the industry progresses.

The Range of Data Collected

At least in America, where over 90% of households own more than one vehicle, there’s a stockpile of data to be gathered. Beyond personally identifiable information like your name and license tied to the car’s Vehicle Identification Number (VIN), data gathered can range from the location of your car and how you drive.

A recent review (2023) by WIRED ran popular brands of cars like Toyota, Ford, and Jeep against a newly released privacy tool to see exactly what’s captured by car manufacturers. The results show just how detailed this data can be. Collected data includes:

• Call history
• Acceleration and speed
• Braking and swerving
• Tire pressure
• Trip logs
• Camera images
• Biometric data for digital keys

Manufacturers use that information to not only provide a custom driving experience but also to presumably sell this data to car insurance companies. A recent study by KPMG found that over 40% of executives expect automakers to sell data to auto insurance companies. The government is also keenly interested in this data; the EU proposed a “black box” in vehicles like those integrated with airplanes to record data on the vehicle and use it to investigate any accidents if necessary.

Proven Risks and Increasing Regulation

When technology advances, security often lags. This lag results in an increased risk of data breaches and attack vectors ripe for exploitation, whether intentional or unintentional. As early as 2015, researchers proved that attackers could remotely hijack Chrysler vehicles, taking control of the transmission and brakes and the steering wheel. In 2017, Hyundai’s mobile application proved vulnerable, allowing hackers to potentially locate, unlock, and start vehicles—all remotely. In 2023, Toyota acknowledged that over 2+ million customer records were exposed to cloud environments for 10 years.

Governments are taking notice of the increasing cybersecurity threat and lack of protection without legal incentive; recent government requirements like the United Nations Regulation No. 155 and No. 156 set the standards for the cybersecurity and software update management systems of connected vehicles. This includes Over-the-Air (OTA) software updates to vehicles, to ensure each vehicle has the latest in safety fixes and lifts the burden from the consumer.

Complex But Necessary: Data Security in Connected Automobiles

Even with legal questions surrounding exactly which data is protected and who’s legally responsible, one thing is clear: the data on these automobiles, whether personal or device-specific, need to be secured and regulated. Beyond concerns about selling data to insurance companies, consumers should not need to be concerned about yet another avenue for hackers to exploit personal data, payment information, or information for personal safety, such as geographic location at all times.

Lessons from other industries, such as the financial sector, can be applied to the automotive sector. While for some enterprises, protecting an endpoint means a laptop or server or a cloud service, the same principles can be applied to the endpoint as a car. While technological solutions include identifying and restricting data like credit card numbers and social security numbers, the same approaches can be applied to GPS coordinates or VIN numbers hosted on the software of the car or the mobile applications of automotive manufacturers.

That’s not to conclude that data security will be as simple as dropping existing solutions onto a car. The complexity of moving and driving a vehicle with multiple cameras and sensors means 100 million lines of code—four times the amount of a fighter jet. It means a multi-layer attack surface that includes servers, keyless systems, cellular connectivity, Wi-Fi, Bluetooth, the cloud for data processing, and physical entry points like the ODB-II port to connect to software for onboard diagnostics.

The high stakes for automotive data become more obvious when breaches can actually be used to remotely unlock and start cars. As the future is moving to an increasingly connected auto fleet—first for entertainment or loss prevention to eventually autonomous cars—connectivity will become a requirement, and data protection will follow suit. Both technology and legal regulation are necessary to protect against the exposure or abuse of sensitive data, especially when human life is at risk.