By Ling Cheng (Senior Product Marketing Manager)
In April 2023, Reuters reported that from 2019 to 2022, some former employees of a well-known electric car company shared via a private internal messaging system intimate footage of car owners recorded by built-in cameras in their vehicles. Highly invasive footage that was shared by the former employees included embarrassing situations involving car owners and images of their children.
Smart cockpit cameras are intended to help manage drivers’ well-being by gathering inputs that facilitate car features designed to ensure drivers’ alertness on the road. While the primary intent is good, security measures that safeguard the privacy of users’ sensitive footage have yet to be established, leaving room for accidental — but nonetheless illegal — exposure of private data to unintended recipients. This lack of assurance gives rise to a situation where connected car users are uncertain of how OEMs manage the privacy of sensitive data.
In addition, there is also a risk of malicious actors exploiting personally identifiable information (PII) and vehicle telemetric data stored in smart cockpits to send highly personalized phishing emails. For instance, they can use the vehicle telemetric data to determine the condition of a car and craft a phishing email.
Figure 1. A fictitious example of a targeted phishing email that malicious actors can create with access to PII and vehicle telemetric data
How can attackers gain access to private data?
Attackers can obtain access to personal data in many ways. One of the methods that they use works as follows:
- An attacker first finds vulnerabilities that can be exploited in the web browser.
- The attacker then creates an attractive, professionally made webpage to lure unsuspecting users by offering hard-to-resist promotions like free hamburger coupons, insider stock information, or big maintenance service discounts.
- When a user visits the malicious webpage, the user has already fallen into the trap. At this stage, the webpage has bypassed the browser’s security mechanisms, thus enabling the attacker to install backdoors in the car’s IVI system without the owner’s permission.
- At this point, the attacker can start stealing sensitive data including the user’s driving history, conversations recorded by the built-in microphones, or videos of car passengers recorded by the built-in cameras. The attacker can also access the user’s contact list, photos, and text messages. The attacker can abuse access to such information to create fraudulent schemes that involve stealing the user’s identity, which enables the attacker to open accounts on the user’s behalf. After getting hold of the user’s identity, the attacker can trick the OEM’s service team to approve identity verification requests, enabling the attacker to open the car doors remotely and steal the vehicle.
Figure 2. An attack flow used by cybercriminals to gain access to connected car users’ private data
How can attackers take control of a connected car?
Aside from the risk of PII exposure, the possibility of attackers taking over a connected car can happen when attackers persist and use backdoors to infiltrate the central gateway through the IVI system. This means that there is a possibility for drivers to lose control of their vehicles’ IVI systems as this consequently denies them access to their speed and other vital information on the IVI systems and digital clusters. This scenario is akin to driving blindfolded.
Vulnerabilities found in Volkswagen electric cars and disclosed in 2022 have demonstrated the feasibility of such an attack to manipulate IVI systems. By exploiting these vulnerabilities, attackers can gain root access to infotainment modules, which can potentially lead to full control of data in these modules, including geolocation and audio and video data. Attackers can also send malicious CAN messages to the electronic control units (ECUs). Notably, these vulnerabilities can potentially affect more than 120,000 electric cars on the road.
How can users and OEMs keep personal data safe from unsecure browsers?
Of late, we’ve observed a growing number of OEMs integrating on-board intrusion detection and prevention systems (IDPSs) for ECUs to provide protection against in-vehicle attacks. It will, however, take some time before connected car users can experience the protection afforded by an IDPS. So, for the time being, drivers need to deal with the risks to user privacy. Aside from using multifactor authentication (MFA) for connected car user accounts as an extra layer of protection and regular monitoring of access to user accounts, users can take the steps recommended by our security experts here.
Also, OEMs can consider collaborating with automotive cybersecurity experts to create smart cockpit security apps that protect car users’ personal data stored in IVI systems by regularly scanning for browser vulnerabilities and by preventing drivers from accessing malicious webpages. This is an effective way to protect personal data that, in turn, builds consumer trust with OEMs. Placing security at the core of OEMs’ design philosophy in developing innovative services encourages drivers to use the services, thus serving the common goal of ensuring safe and worry-free rides.
Figure 3. VicOne’s Smart Cockpit Protection solution