Most readers of this blog are well aware that modern, online life involves some tradeoffs where privacy is concerned. Yet there’s one class of product that never occurs to most of us when we think about privacy and cybersecurity: our cars. That’s a pretty big blind spot, because modern cars are highly connected and constantly collecting data. Automotive cybersecurity and data security is an entirely new frontier, and it’s still very much the Wild West. Here’s what you need to know about it.
The Two Big Threats in Automobile Cybersecurity
It’s not really surprising that our cars are open to cybersecurity threats. Most cars made in the past several years have one or more modems built into them for communication purposes and are basically smartphones on wheels (right down to the touch screen). In fact, Volvo’s upscale brand Polestar actually plans to release its own smartphone.
There are two main threats to your security (and your car’s) posed by these high-tech modern vehicles. One is the risk of hackers or thieves making malicious use of whatever vulnerabilities they can find. As far back as 2015, security researchers showed they could hijack control of a Jeep Cherokee through its connected infotainment system. Similarly, researchers demonstrated in late 2022 that a range of brands — from Ford and Hyundai to Porsche and Ferrari — were vulnerable to connected attacks. Those were ethical hackers, whose job is to find vulnerabilities so manufacturers can fix them. Less-ethical hackers, of course, exploit the vulnerabilities themselves or sell knowledge of them (and sometimes the code necessary to exploit them) to third parties.
Who's Calling Me?
Search any phone number to learn more about the owner!
Overall, though, the biggest cybersecurity threat to your vehicle may come from a second, unexpected source: its manufacturer.
Why Carmakers Are a Big Threat to Vehicle Cybersecurity
We’ve written before about your “digital footprint,” and how all the things you do online come together to provide companies with information about your preferences and habits. Some of that comes from your online activities, posts, and purchases, but other data is collected by your phone or other devices (that’s why turning off location sharing in your apps can be a good idea, for example).
Of all your connected devices, only your vehicle rivals your phone as a source of user data. In September of 2023, the Mozilla Foundation (best known for its privacy-oriented Firefox browser) released a privacy analysis of the automotive industry, covering 25 brands. It makes for less than comforting reading.
All 25 brands failed to meet Mozilla’s minimum standards for privacy and/or data security (they’re spelled out here, if you’re interested). Some of the highlighted concerns include:
The sheer range and volume of data collected, from safety data like acceleration and braking to smaller details like
- Heart rate.
- Images and video.
- Your physical characteristics.
- Your genetic information.
(NB: In a supporting article, the Mozilla Foundation detailed well over 150 types of data manufacturers can collect about their drivers.)
Lack of Clear Policies & Transparency
The report also found that a lack of clear privacy policies, data-use policies, or basic data protection policies plague the auto industry. More specifically, it revealed that…
- Most companies had multiple dense privacy policies.
- Most privacy policies include vague language, giving them lots of leeway to play fast and loose with your data.
The report also uncovered a startling lack of transparency regarding cybersecurity and data protection protocols.
- Researchers were unable to clarify what, if any, standards were used to secure user data.
- Researchers were unable to clarify whether any manufacturers encrypt your data by default.
- Many manufacturers, including Volkswagen/Audi, Toyota, and Mercedes-Benz, have suffered major data breaches recently.
All in all, it adds up to show an increased need by the auto industry to take user privacy and protection seriously.
There’s a Whole Data Ecosystem Around Cars and Drivers
Carmakers have a direct interest in some of the data they harvest — it gives them useful feedback on how to improve their vehicles and software — but also generates some extra revenue. Finding ways to monetize that data isn’t really their forte (aside from selling subscriptions for premium features), leading them to partnerships with third parties.
The result of this has been the rise of a whole ecosystem of vehicle data hubs built around this data. The car companies provide them both with raw data and inferences drawn from that data — they might guess your race and ethnicity, for example, from your address, the places you go, and the music you listen to — and the brokers in turn package that up in a variety of ways for different clients.
Some of these hubs use your personal data as-is, obscuring your identity in various ways, while others make a point of dealing only with anonymized data (which has identifiable details scrubbed). Anonymized data is more convenient for the companies involved because there are fewer regulatory constraints around how it’s used.
What This Means to You Personally
“So all of this sounds bad,” you may be thinking, “but what kind of risks am I facing personally?”
Well, there are a number of potential issues (with a varying range in how likely they are to occur). While cars being directly hacked isn’t a common occurrence (for now, at least), malicious hackers could take control of your vehicle, as in the 2015 Jeep hack, or use your car’s cameras and sensors to surveil you directly. Location tracking is a necessity for those frequently using GPS services, but they also open the door for ill-intentioned parties to track your whereabouts through the car’s app, learning everywhere you’ve been.
Then there’s the question of the data that’s been harvested, and how it’s used. Data collection and use aren’t all bad, and in fact, can be used to improve services and marketing. But, because the data that’s gathered is so broad and so deep, it could be seen as a huge bullseye for criminals. The existence of such a large and rich data set makes it a mouthwatering target for hackers. The huge quantity of information it represents would make any hack of a carmaker’s systems a massive threat for identity theft.
What Can I Do About Automotive Cybersecurity?
If this were an article about phone- or computer-related risks, at this point we’d offer up several steps you could take to make your device more secure. Unfortunately, with cars, there’s not a lot you can do. Unlike phones, they’re not meant to be tweaked by their users (in fairness, that would be a massive headache for the carmakers).
That being said, there are a few things you can do to make yourself and your car more secure:
Reign in the App
Most brands now have an app that links to your car’s infotainment system, and leverages your phone’s capabilities. In the Settings menu of your Apple or Android device, you can look at that app’s permissions and limit them to what’s absolutely necessary.
Always Keep Your Car and Your Devices Updated
Aside from improvements and upgrades in the software, updates are often made to patch newly discovered vulnerabilities (like the ones revealed by the researchers we spoke of earlier). This won’t keep your information from the car companies themselves, but reduces your exposure to hackers.
Use a Service Like Privacy4Cars
Typing your Vehicle Identification Number into its database will tell you what data your manufacturer’s privacy policies and Terms and Conditions allow it to collect, and on what terms. You’ll also get a report of which data hubs they work with, and — where applicable — provides you with guidance on finding those companies and navigating their (usually complex) “remove my data” process.
Level Up Your Own Personal Security Measures
Minimize your digital footprint, turn off tracking on your phone, upgrade your passwords (and maybe use a password manager to help with that), and use multifactor authentication wherever it’s available. None of these steps will prevent data collection or identity theft, but collectively they’ll make it harder for identity thieves or anyone else who wants to de-anonymize your data.
Similarly, signing up for Spokeo Protect — our identity protection service — can alert you to identity theft, and, if you’re a victim, offer a suite of protections against its effects. You can also search yourself periodically using our regular name, address, and phone number lookup tools, which can frequently help you spot the common signs of identity theft.
While individual drivers ultimately have little control over big automakers and their cybersecurity, these steps nibble away at the edges of the problem and are worth doing because they’re under your direct control.
Regulators are Looking at Automotive Cybersecurity and Privacy
The good news is that vehicles’ place in the digital ecosystem is coming under increased scrutiny, and further consumer-friendly regulation is possible. That can be a game-changer. The two brands scoring highest in Mozilla’s research were Renault and its Dacia sub-brand, both of which are sold only in Europe and are therefore covered by the EU’s privacy law, the GDPR. The GDPR dictates transparency in showing how data is collected and used, and gives consumers the option of having their personal data purged on request.
The GDPR has already established the principle that offering users a take-it-or-leave-it consent model — “let us do what we want or you can’t use our product” — is unacceptable in an app or a mobile device, so extending that same reasoning to cars would require a radical change to the manufacturers’ use of data. A second major piece of privacy regulation, California’s CCPA, could also potentially be used to rein in the carmakers’ business practices. California’s legislators are actively looking into that possibility, spurred by activist groups and consumer lawsuits.
At the federal level, the FTC and the National Institute of Standards and Technology received a mandate from the Biden administration to create a labeling program for connected “Internet of Things” (IoT) devices. When complete, the program will define a simple Energy Star-style label consumers can view to determine how secure a given device is, and how well it respects your privacy. Cars don’t currently come under its purview, but activist groups are trying to make that change happen.
Vehicle Cybersecurity: For Now, You’re Mostly on Your Own
These initiatives may eventually turn the tide in a more consumer-friendly direction, though you can expect it to take some time. In the interim, the steps we’ve suggested can at least help tighten up your personal security.
The most effective thing you can do to change the situation in the longer term is to contact your elected representatives, and regulatory bodies like the FTC, and push hard for change. Carmakers are unlikely to voluntarily change things without pressure from the courts or legislators, and they, in turn, won’t act without pressure from individual voters.
It’s exactly that kind of individual action that over time tamed the original Wild West, and over time it can do the same on this digital frontier.