Remote services and over-the-air updates to increasingly software-defined vehicles require robust security.

Rainer Vosseler , Manager, threat research

March 7, 2024

9 Min Read
Getty Images

Today’s automobiles are continuously generating, consuming, and transmitting tremendous volumes of data. The analysis and utilization of this vehicle data generate many new business opportunities, from enhancing the functions of the vehicles themselves to creating entirely new revenue streams that were recently impossible.

The global automotive industry’s shift toward a data-centric ecosystem also is creating a set of new challenges and responsibilities—not the least among them being the emerging hidden security risks of connected cars. Research has revealed ample opportunities for data to be leaked, and it has shown that even small amounts of vehicle data can be used to profile drivers or fleets in devious ways. What’s more, sometimes highly sensitive vehicle data is being collected, and it is unclear whether users are aware of what is being gathered and shared, even if they have consented via arcane purchase agreements.

These facts highlight serious individual privacy and security concerns about the potential misuse of unsecured data, as well as the possible violation of data-protection laws. The global automotive industry must take note. In our new automotive reality—in which technological innovation has transformed modern vehicles into no less than complex hubs of sometimes highly sensitive personal data—what are some of the hidden privacy and security risks associated with vehicle data, its generation, transmission, and usage?

Related:IT Expert Says U.S. Needs to Turn Up the Heat to Tackle Cybersecurity

The Emerging Automotive Data Ecosystem

Today’s automotive data ecosystem is a network of interlinked entities spanning connected vehicles, automotive original equipment manufacturers (OEMs) and their suppliers, as well as data brokers and consumers.

Data collection is one crucial component of this ecosystem and takes place through multiple methods. The primary channel is via the telematics control unit (TCU), which communicates with cloud infrastructure owned by OEMs and other trusted parties such as Tier 1 and 2 suppliers, via cellular networks of various generations. Data also can be collected through mobile applications connected to the automobile, an activity which widens the scope and volume of information that is being gathered.

The data collected in and around vehicles is an extremely valuable asset, holding detailed insights into rich information such as vehicle performance, driver behavior, and usage patterns. This data helps OEMs and Tier 1 and 2 suppliers improve their products and functionality, imagine and create new offerings, and boost the experience of vehicle operators through appealing applications such as predictive maintenance, route optimization, and personalized recommendations.

Related:Transportation V2X Testing vs. Security

The considerable value of the data extends beyond the manufacturers and their suppliers. While the bulk of the data typically remains with OEMs for their research purposes, the vehicle data also introduces new monetization opportunities. OEMs often sell some data sets. Once properly sanitized to ensure privacy, the data can be sold to third parties like data brokers or directly to consumers.

Telematics data, for example, not only helps in divulging the vehicle's performance but also can inform the development of personalized services and innovative business models. In this way, commercialization of vehicle data both generates additional revenue streams for the OEM and fuels an ecosystem of services, applications, and products around the manufacturer’s vehicles.

Vehicle data grows even more valuable when different fields are combined to enable new data to be extrapolated and altogether new insights to be revealed. For example, fuel efficiency can be calculated by combining Global Positioning System (GPS) data such as routes and speeds with engine performance and fuel consumption. This can contribute to improved driving habits and vehicle maintenance schedules, and it even can influence the design of future vehicle models. Data extrapolation tees up a range of valuable opportunities.

Related:How to Build a Better Vehicle with Software

The Emerging Cybercrime Possibilities

Unfortunately, of course, as monetization opportunities arise and grow more lucrative, increasingly sophisticated forms of cybercrime are sure to follow—just as honey attracts flies.

The cybercriminal market for data on connected cars today remains nascent. Observation of the online cybercriminal underground shows that current threats primarily revolve around “car modding,” where enthusiasts hack vehicle features and manipulate data such as mileage. But it is not difficult to imagine different, far more complex and damaging ways in which vehicle data could potentially be abused/misused in the near future:

  • Vehicle Tracking—Targeted vehicles could be tracked for real-time location data. For instance, with access to a vehicle’s real-time location and when its regular routes are known, criminals could effectively transform a vehicle into a “mule” by stowing contraband items underneath the vehicle. Real-time vehicle tracking also could fuel surveillance of high-profile individuals and their assets.

  • Driver Profiling — Personal habits, lifestyles and routines could be surmised from driving patterns.

  • Data Leak — Leak of personally identifiable information (PII), maintenance data, fuel consumption and other operational data could compromise individual privacy and disclose potentially sensitive vehicle information.

  • Data Manipulation — Creation of fake alerts or modification of performance data could lead to false diagnostics or potentially hazardous driving settings.

  • Data Ransoming — Vehicle data that is stored in the cloud of OEMs, suppliers and data brokers could be locked or encrypted, positioning criminals to demand ransom in exchange for restoring access.

  • Social Engineering — Stolen data could be leveraged to undertake targeted social-engineering attacks in which individuals are manipulated to perform actions such as divulging confidential information.

  • Infrastructure Disruption — Ambulances, utility vehicles and other critical infrastructure vehicles could be targeted for attacks to disrupt essential services.

  • Espionage — Automotive data could be analyzed to reveal insights into a company’s operations, strategies, and competitive advantages, fueling industrial or corporate espionage.

  • Maintenance — Access to diagnostic trouble code (DTC) and other maintenance data could be accessed to reveal vehicle vulnerabilities to be exploited for malicious attacks.

  • Vehicle Connectivity — A vehicle’s internet connections could be compromised for remote hacking and attacks on the vehicle’s systems or related infrastructure.

  • Blackmail – Data on accidents, crash locations, routes or DTC could help a criminal build a profile on a driver, setting up blackmail threats around revealing the individual’s locations, undeclared accidents, etc.

  • Insurance Fraud — Data on acceleration, breaking, rate of speed and other habits could be manipulated to qualify drivers for less-expensive insurance rates.

Potential Opportunities for Accessing Vehicle Data

Once the revenue opportunity for such potential cyberattacks clarifies, cybercriminals will find that multiple opportunities already exist to access the data that they will need to carry them out.

The application programming interfaces (APIs) of middleware that were created to foster a rich ecosystem of services via digital cockpits also could open prime opportunities for crime. They could provide easy access to vehicle electrical/electronic (E/E) architecture and electronic control units (ECUs).

Architecture-agnostic malware could be developed to enable phishing attacks against cars by installing remote access trojans (RATs), ransomware, botnets, etc. Jail-broken phones connected to the car offer another plausible attack vector for enabling malware installation.

Attacks against the OEM cloud, meanwhile, could lead to functions being disabled in vehicles and/or loss of PII, revenues, etc. Cloud APIs could be exploited to locate, unlock, start and steal cars or enable property inside to be stolen.

The open nature of Message Queuing Telemetry Transport (MQTT) servers introduces other opportunities for vehicle data to be accessed and corrupted. Designed for machine-to-machine (M2M) communications, MQTT is a lightweight, publish-subscribe messaging protocol which allows devices to easily exchange messages over unreliable networks at low bandwidth and power requirements.

Often, open/insecure MQTT servers are configured to accept write instructions from any subscriber—making them susceptible to data-poisoning attacks. Indeed, open brokers for data leaked via MQTT, lacking both authentication and password protection, already today are globally distributed. The data being transmitted includes vehicle GPS data, engine monitoring, car tracking systems and on-board diagnostics (OBD) data, providing the building blocks for the variety of ways that vehicle operators might be profiled.

Concrete Steps Toward Improving Automotive Cybersecurity

The automotive industry historically has prioritized safety over security, with security measures being implemented only when mandated by the regulatory requirements of a given jurisdiction. But a lack of comprehensive security measures could potentially leave stakeholders across the growing automotive data ecosystem highly susceptible to cyberthreats and introduce vexing new business questions:

  • What legal complexities are introduced by the industry’s unusually interconnected supply chain?

  • What does the new threat landscape mean for an OEM’s relationship with its suppliers at different levels?

  • How might the insurance industry be impacted?

  • How might the very, very fast development speed of open artificial intelligence (AI) systems accelerate the cycles by which cyberattacks could be conceived, initiated and propagated across user communities, supply chains, geographic regions, etc.?

There is an urgent need for stakeholders across the growing automotive ecosystem to go beyond regulatory compliance, to recognize the criticality of the hidden security risks of connected cars and to act prudently.

Robust measures for data protection—encryption of data at rest and in transit, secure APIs, secure cloud storage, regular security audits, penetration testing, etc.—must be implemented, as vehicles become more connected and generate, consume, and exchange greater volumes of data.

Users must be better informed by OEMs, Tier 1 and 2 suppliers, etc. about their data-collection practices, potential risks and how to protect their data. Clearer, easier-to-understand privacy policies and instructions on how to adjust data collection settings, how to fully opt out, etc. should be rolled out.

Vehicle APIs are a common point of access for cybercriminals, and, therefore, securing them should be a point of emphasis. Strong authentication, rate limiting, regular monitoring and logging of API activity to detect and respond to any suspicious activities are among the measures that could be adopted.

Clear regulations addressing the collection, storage and use of vehicle data must be written and adopted. Legislative gaps need to be addressed to provide clarity and stability. Data privacy and protection laws to safeguard drivers must be developed as necessary and enforced.

Because middleware APIs in connected cars can create new opportunities for cybercriminals by giving them easy access to the vehicle’s E/E architecture and ECUs, these APIs also must be designed with security in mind. For example, strong authentication and encryption to prevent unauthorized access are key.

The rich possibilities for profiling individual vehicle operators and passengers raise grave security concerns around how the misuse and abuse of this data could potentially compromise the safety and privacy of individuals around the world. The global automotive industry must proactively address the considerable security gaps that are revealing themselves across its rapidly evolving and expanding data ecosystem.

About the Author(s)

Rainer Vosseler

Manager, threat research, VicOne

Rainer Vosseler is manager, threat research, and brings more than two decades of experience in cybersecurity to the automotive industry. VicOne continually researches current and future cyberattacks planned against connected cars. As a Trend Micro subsidiary, VicOne is powered by a solid foundation in cybersecurity drawn from Trend Micro’s 30+ years in the industry, delivering unparalleled automotive protection and deep security insights that enable our customers to build secure as well as smart vehicles.

Sign up for the Design News Daily newsletter.

You May Also Like