True North Networks Blog
Connected Car Apps Open Privacy Hole For Used Car Owners
When we think about hacking connected cars, most of the research has been around difficult-to-exploit vulnerabilities that would allow someone besides the owner to do things such as control the infotainment system, unlock the car remotely or even take control of the steering mechanism. But it turns out that there’s a much less flashy danger at play – involving a potentially widespread privacy issue.
Matt Watts, data strategist and director of technology at NetApp, discovered after buying a used car that a previous owner could access a range of his personal information via the app that connects with the vehicle.
“Many of the current generation of cars have a host of online ‘connected’ features, apps that allow you to interact with the vehicle even when you’re nowhere near it,” he explained in a personal blog post last week. “Mine has the ability for you to remotely control the climate systems, to call breakdown services, to upload GPS/destination details and much more, it also keeps a record of much of this information and stores it all against your online account.”
The problem is that once a vehicle has been linked to that online account and app, the previous owner must specifically disconnect his or her access to the account in order for a new owner to link up to it. So even though the car has a new owner, the previous owner will continue to have access to the online account – with all the new owner’s information stored within.
“When trying to link the vehicle to my account, the website informed me that the vehicle was currently linked to another users account,” Watts said. From there, he contacted the dealer and the manufacturer, who were unable to help him, saying that “We are not in a position to remove owner without their permission, previous owners would normally disconnect before they sell the car or if we took in part-ex we would have their written authority to remove from system.” The dealer then suggested tracking down the previous owner to ask them to disconnect from the account.
Watts noted that the implications are significant: “The previous owner of my car has control over it, they can unlock it, they can remotely set the climate control without me knowing about it, even when the car isn’t running, they potentially can even look at the sat-nav system, they can also call break down services to the vehicle and all of this without me knowing anything about it,” he said. “Someone else has access to a significant amount of data about myself and my vehicle and there appears to be nothing that the manufacturer is prepared to do about it.”
This privacy issue is just one more example of a lack of IoT security – in an era where consumers and businesses alike are gaga for connected things, manufacturers all too often rush to capitalize on the demand without building in privacy and security by design. And often, the supply chain is so complex that the idea of shared responsibility gets lost in the mix.
Also, people are embracing connected things without considering the potential dangers they present – Watts pointed out in his post that many people aren’t even aware that their car could be storing information in an online account somewhere – and this naivete when it comes to IoT security goes for other sectors as well. Trend Micro found in a recent report that close to half (43%) of IT decision-makers and security decision-makers say that security is an afterthought when implementing IoT projects (peaking at 46% in Germany). In addition, nearly two-thirds (63%) agree that IoT-related cybersecurity threats have increased over the past 12 months (rising to 71% in the UK and the US).
Though Watts didn’t specify what kind of car he bought, he noted that most cars today have these types of app and logging of information, making for a potentially widespread privacy problem.
“Many of the cars that are sold today…are collecting vast quantities of data about the vehicle during its lifetime and therefore your behavior, location, destinations,” he said.