The Internet of Things is rapidly expanding, and it connects you to everything and everyone – your home, the companies you shop and do business with and the larger digital community. Now, even our vehicles – essential parts of our day-to-day lives – are connected to the internet, and while cars’ collection, storage and use of data can help make life more convenient and efficient, they also present security and privacy risks. It’s important to know what information our cars collect, how they use our data and how we can manage our privacy and identities in a growing connected car landscape.
I recently spoke with Tony Aquila – founder, chairman and CEO of Solera Holdings Inc. – about connected vehicles’ relationship to cybersecurity, the vulnerabilities and concerns we should be aware of, what we can expect in the future and how consumers can more safely and securely buy, rent and/or part with their connected vehicles.
MICHAEL KAISER: From where you sit, what does the current landscape of cybersecurity and the connected vehicle look like?
TONY AQUILA: Cybersecurity is becoming increasingly important and essential to consumers. From phones to computers, people want privacy and control over their personal information. But one of the biggest smart devices in our lives is being overlooked – today’s vehicles.
Vehicles are largely still in the infotainment phase. Manufacturers are thinking about safety elements and ways to entertain, but cybersecurity is not their top priority. Privacy and security are not high enough on the agenda, as they historically did not help sell cars or enhance brand perception. I believe this is about to change.
MK: What vulnerabilities in the connected and/or autonomous vehicle system should consumers be aware of?
TA: Cars have become connected devices. Most, if not all, vehicles will have IP addresses by 2020, which means they’re hackable with different levels of intrusion.
A hacker who gets control of a vehicle will know a significant amount of personal information about the owner, as most people synchronize their smartphones with their cars. Criminals can use information about driving patterns to figure out when a person is home or away, creating a very real threat for cars to become devices of micro-terrorism. For example, if a car’s data fell into the wrong hands, a malicious hacker could determine when the car’s owner was out at a bar with friends, take control of that vehicle remotely, drive it somewhere, cause harm to others and return it without the owner ever knowing. Then, it would be up to the owner to prove that he had not committed the crime. That technology exists today.
MK: What should car owners know about the data their cars are generating that they don’t know now?
TA: Most people don’t realize that their phones sync with their cars every day. There’s a wealth of personal information that exists in your car, such as your address book, call log, navigation history and driving behavior and patterns. With this information, a cybercriminal could create an accurate personal profile on with whom you often speak, where you live and work, where your children go to school and more. Hackers today can learn more about someone from their car than from their house, as cars have become mobile computers.
MK: There’s hope that cars will be built with the strongest cybersecurity and privacy they can have in the manufacturing process. Do you believe that as we evolve over time, car owners and drivers will play a role in maintaining the cybersecurity of their vehicles? If so, what will that role look like, and if not, how will the cybersecurity of their cars be maintained over time?
TA: Every car built after 1996 has an on-board diagnostics (OBD) port created to diagnose cars. Today, technicians simply plug a device in to the port, and the software diagnoses the vehicle’s problems.
Soon, I believe car owners will buy a device that plugs into the port and monitors everything that happens in their car, from their seat settings and calendars to their driving patterns. However, consumers must be given the power to choose what information they want to share with the device. They’ll plug it in and protect themselves and take it with them when they leave to wipe everything from their cars. This device will be able to detect an attack as it happens and defend against it.
As the evolution from human to software continues, people must be completely responsible with their information.
MK: What role do you think government will or should play in making sure vehicles are secure? And what role should industry play?
TA: Companies are still using technology first for their benefit and second for their customers. But when addressing cybersecurity and privacy, they must put the consumer first. Consumers want to be able to trust businesses and technology with their personal information, and that trust obliges companies to reciprocate by protecting their privacy. User ownership and control of personal data must always be top priorities. Some governments will regulate the process, and some won’t.
It’s up to companies to make sure vehicles are secure, but it’s not up to them or the government to decide what information should be collected from consumers through their cars. A consumer must have the right and responsibility to control the data created and stored in their car.
MK: What should consumers be paying attention to when it comes to maintaining the cybersecurity of their vehicles? What are your tips and advice for people who are buying, renting or selling/getting rid of connected cars?
TA: As cars become increasingly more intelligent, consumers must be responsible for their digital fingerprints to maintain their vehicle’s cybersecurity. Don’t give out personal information when it’s not necessary, like setting your home address as “home” in your phone or car.
Equally important is what owners do when they no longer want to be owners. Just like phones and computers, consumers don’t keep cars forever: people trade in and trade up with good regularity. But unlike other devices that consumers wipe clean before giving up, they don’t do that with cars, which leaves an enormous amount of personal information out there that someone else can access. Just like you would with a smartphone or computer, wipe everything from your car before selling it and make sure to delete all personal data like address books and navigation history. This is especially important for rental cars: avoid adding any personal information to the vehicle infotainment systems, such as your contacts or home address. If you must add information, make sure you delete the entries prior to the return of the vehicle.
Tony recently spoke about managing your digital identity in a world of connected cars at the 2017 Data Privacy Day event at Twitter’s headquarters in San Francisco. Get additional tips by watching his talk here.
Cars make up an important part of the growing IoT, and it’s crucial to take steps to secure your car and any other connected devices you own or use. Check out our Navigating Your Continuously Connected Life infographic for security precautions to help you connect to your “Internet of Me” with more peace of mind. And visit staysafeonline.org for even more cybersecurity and privacy tips, resources and news.