No doubt you would have heard about the recent ransomware attacks on big businesses. The most high profile was the NHS outage, but in the last month, another incident has affected energy companies, national banks and even UK operating arms of Mondelēz International, Mars, Nivea and TESA.
You’re thinking ‘But what’s this got to do with cars?’. Well, thanks to the IoT – Internet of Things - connected cars are starting to become prevalent. We all need to think carefully about our data whilst out on the road.
Many manufacturers now offer connected car capabilities. You download an app on your smartphone, verify the car via its VIN number or some other security measure, and hey presto you can track it, record video, take pictures, download driving data, and sometimes even start your car with just your smartphone.
I myself have been in the exact same situation as reported by the BBC a few weeks ago. I had a Germanic saloon on loan to me for a week, it was fitted with connected car capability, so I hooked my smartphone up.
For the rest of the week I was able to keep a check on the car’s MPG, cool the interior before I got in on hot days and see where it was parked.
After the week the car was collected and that’s the last I saw of it. A few days later I was swiping through my phone and saw the car’s app. Out of curiosity I opened it and, to my amazement, I still had full access to the car.
I could send commands telling it to lock, unlock, flash the headlights, cool, heat, you name it. But the car was nearly 200 miles away parked up at a golf course.
The next day I checked in on the app again, now the car was parked on a driveway. I was able to go into the map and then call up Google Street View to see the exact house it was parked outside.
Nothing stopped me from hopping in my car, driving to that exact location, unlocking the car and then driving away.
The manufacturer had clearly not checked or removed my access before handing the car out to someone else. This continued for another week or two with me being able to track the car around the country. Eventually, the access was severed, but it raises the question about personal data and your car.
How many people sync their phone via Bluetooth, Android Auto or Apple CarPlay. You normally have to accept syncing your phonebook, messages, emails and the like. But when you unpair your phone, all your data is most likely still sitting there.
Yes, you can delete it all, but often that’s not as easy as unpairing your phone. A lot of the time you have to perform a full factory reset of the infotainment system to remove your data.
Another thing is that once this data is ‘deleted’ it’s probably rather easy to still get at.
When you delete data on computers, phones, tablets all you’re doing is saying ‘this slot is now free’ the data behind that flag is still there.
To remove data fully you have to overwrite that slot multiple times, often with random encrypted data which can take hours.
Currently, this hasn’t been a problem, but how long will it be before one of the big players in the market is compromised? A back door is found, and your data can be wirelessly scooped up to another device.
It’s an issue not being taking seriously enough. Everyone wants the future in their hand right now, but what if you buy a car that’s been connected to a smartphone. You could pay for it, walk away then weeks, maybe months later have the car disappear whilst at work, or when it’s sitting on your driveway.
Or what if you sync your phone to a rental car on holiday? Leaving your call history, text messages and emails sitting in that car for the next person, or even the rental company to snoop through.
Manufacturers should actively start thinking about this, as car ownership models are changing. It’s more than likely your car won’t be your car forever, or even used solely by yourself.
It wouldn’t take much to incorporate secure data wipe into infotainment systems. Or even a prompt when you unpair your device to ask if you wish your data to be erased.
An ever-connected world means the end user must remember to protect their data.