By Numaan Huq (Senior Threat Researcher, Trend Micro)
In the era of connected vehicles, your car knows more about you than you may realize, and neither your car manufacturer nor your car dealer has not disclosed this to you. Modern vehicles are no longer just a means of transportation; they have evolved into complex data hubs, continuously generating, consuming, and transmitting large volumes of data. But what does this mean for the daily driver? Let’s dive into the unseen risks of vehicle data collection.
The data that your car collects and the risks it might invite
Today’s vehicles are essentially smartphones on wheels, equipped with advanced sensors, cameras, and connectivity features. These vehicles can communicate with other vehicles, infrastructure, and the vehicle manufacturers (OEMs) themselves. Every time you start your car, it begins collecting data. But the data collection doesn’t stop when you turn off the engine and lock the doors; the car continues to collect data. From your driving behavior to your vehicle’s performance, the data collected is vast and varied.
OEMs and their Tier 1 and Tier 2 suppliers collect vehicle data to refine their products, improve functionality, create new product offerings, and enhance the user experience, among other things. But this data also has the potential to be monetized, creating new revenue streams for OEMs and suppliers. There are even specialized data brokers that purchase vehicle data from multiple OEMs, anonymize it, amalgamate it, wrap their own APIs around it, and then resell the data to anyone who pays for it.
The collection and use of this vehicle data can lead to issues surrounding privacy and security. Quite often, vehicle data is collected without the users’ explicit knowledge. This raises concerns about the potential misuse or abuse of data, including contraventions of local data and privacy protection laws.
Let’s delve into five risks that you and other drivers might be unaware of:
- Risk of surveillance. Modern vehicles are equipped with cameras that continuously capture images of the vehicles’ surroundings. These cameras are designed to enhance safety by providing a 360-degree view around the vehicles. However, if accessed by unauthorized parties, these camera feeds could be used for surveillance, potentially violating your privacy and personal security. This could lead to situations where a hacker could monitor your activities or even use the footage to plan criminal activities.
- Risk to the privacy of your family. Your vehicle’s GPS tracker can reveal information about your daily routines, from your preferred supermarket to the time you drop your child at school. In the wrong hands, this data could pose a significant risk to the privacy of your family. A cybercriminal could potentially use this data to determine the times when you are away from home, the location of your workplace, the school your children attend, and other places you frequently visit.
- Risk of getting a higher insurance rate. Data brokers sell information about your driving style, such as speed and acceleration, and preferred roads to car insurance companies. These companies could then calculate a higher risk score for you, leading to increased insurance premiums. This could result in your paying more for insurance based on data that you might not even be aware is being collected.
- Risk of becoming a crime victim or accessory. Cybercriminals could use your vehicle as a “drop box” for contraband items. For instance, if a thief can access data about your vehicle’s location and status, they could use your vehicle to store stolen goods or drugs, especially when they know you are away. Or if they know the route you take regularly, your car could be used as a “delivery mule” for contraband items. This could lead to your unwittingly becoming involved in criminal activities.
- Risk of identity theft. Personal data, such as your home address, work address, and places you frequently visit, could be used by identity thieves to impersonate you or to gain access to other sensitive information. This could enable a criminal to gain access to your financial accounts, make purchases in your name, or even commit crimes while impersonating you.
Navigating the data-driven way forward
While the convenience and innovation brought about by data-driven vehicle features are undeniable, they come with significant privacy concerns. The data collected by modern vehicles paints a detailed picture of our lives, from our daily routines to our personal preferences, and this wealth of information can have serious implications for our privacy. Even seemingly harmless data, like climate control settings or media preferences, when combined with other data points, can provide clues to an individual’s lifestyle.
As the monetization of automotive data grows, it becomes an attractive target for cybercriminals. The risks range from vehicle tracking to more sensational threats like vehicle hacking and fleet takeover. Unauthorized access to vehicle user accounts could lead to theft, both of the vehicle and the data it contains. This could result in financial loss, privacy invasion, and even personal safety threats.
As we navigate this evolving landscape, a balanced approach that promotes innovation while ensuring privacy and security is necessary in shaping the future of connected vehicles. It’s vital for stakeholders to take proactive measures to ensure responsible data handling and protect systems and users against misuse and abuse. At the same time, regulatory bodies need to develop and enforce data privacy and protection laws to safeguard drivers. For drivers, awareness is the first step. Understanding what data your car collects, how it’s used, and how to protect it is crucial. In the age of connected vehicles, it’s not just about driving safely on the road; it’s also about navigating the complex web of data privacy. While the age of connected vehicles brings about many new opportunities, no one wants Big Brother in their passenger seat.
For more information and insights, check out the paper “Automotive Data: Opportunities, Monetization, and Cybersecurity Threats in the Connected Vehicle Landscape,” written by researchers from Trend Research as part of the VicOne Automotive Cybersecurity Report 2023. In it we detail our automotive data hunting methods, the data types we encountered, possible data extrapolations, and their potential cybersecurity risks. To learn more about the automotive data ecosystem and its implications for the industry, read about our research and download our full paper here.