Connected Cars—Is the Risk Worth the Reward?

There is a revolution taking place in the automotive industry that will affect nearly every car owner, driver and passenger. It is the introduction of connected cars and the promise of enhanced safety and convenience.

With that promise comes massive security and privacy risk. After all, cars will be operated by highly intelligent computing devices that can be accessed remotely. Driver override will be built-in, but malicious tampering is possible. And in this case, there is absolutely no margin for error.

Having connected cars is fantastic and is the way the industry and society have been progressing, but not without questioning the concept and not without the assurance that the system cannot be compromised. It is critical that we ensure customers that a hacker cannot take over operation of the vehicle. And so far, it has been proven that this is possible today.

The benefits can go from having metrics about your driving style to preventing an accident. For example, a connected car can know the best route and where gas stations or restaurants are located. Although you could have these tools on other devices, the real value comes from optimizing fuel consumption and providing the best advice on how to drive safely and even taking control (with the right parameters in place), if necessary. A connected car is, or can be, intelligent, autonomous and smart.

The safety benefits of connected cars are very clear. A driver can be located in a dangerous situation, the car can be traced if stolen and the vehicle could potentially be locked if the driver is not the approved one. On the other hand, we need to understand that we are talking about identity management, authenticity and accountability. We need to understand that data can potentially be used against us if we do something wrong while driving.

As a potential user of a connected car, I would first ask what is really at stake. I would think about all the “what if” scenarios so I could fully understand the different roles the car will play in terms of advice, taking control, providing information and collecting information. Let me emphasize the importance of not only being a driving aid (which is at the core of a connected car), but that it also collects and potentially shares information about driving behaviors. I would try to clearly understand all aspects of privacy when purchasing a car that will “learn” a great amount of information about me.

Protecting user information is critical, both technical and legal. In terms of technical protection, vendors need to ensure that the system is robust and solid, that it has been hardened and that it is impossible to access it from places other than the “guaranteed” ones. If we consider a system that cannot be accessed remotely and does not allow a third party to take control of the car, that would make the vehicle less connected—which is something that we do not want. Thus, we have to ensure that the proper communication channels have been established. For this, vendors must be certain that the technology they deploy is safe and bug-free. On the legal side, a driver will have to agree with the collection and sharing of personal information. That is something that can fundamentally change and challenge our approach to driving.

It has been proven that hackers can take control of some models of electric cars. Remember, there’s a computer inside the car, standard protocols to connect to the Internet and operating systems that might have some flaws. Millions of cars provide a good customer base for the bad guys to try. And, while that may not make the bad guys money, it will certainly be something governments must monitor since a terrorist attack on thousands of vehicles would have a massive impact on society.

As with previous advances in technology, our prediction is that the market for connected cars will expand and change very rapidly. As a society, we will have to look at the legal ramifications and accept the sharing of data. If we accept that, we accept things such as the car taking control in heavy traffic. Sometimes we are pushed by technology that we do not really understand, but that is nice for us to use. We believe that focusing only on the benefits is short-sighted and we always appreciate the risk assessment approach—understanding what is at stake and if the benefits outweigh the risks or not.

Integrity is key in every security program, and even more so with connected cars. Making sure that the information is correct, and that it has not been altered by a third party is critical to success. A connected car, and the way it collects and correlates information, will be transparent for the user, much like a black box on a plane. Integrity is fundamental so that we know that data is the original and reliable. This is one of the key aspects of the validity of the information of a connected car.

Ramses Gallego
Security strategist and evangelist, Dell Software
ISACA International Vice President

[ISACA]