Spy Car: Hacked Vehicles and Potential Internet of Things Regulation

The terrifying remote hack of a Jeep on the highway, as reported by Andy Greenberg in Wiredmagazine , seemingly validates the pervasive, yet vague, fears that many consumers have about the digitalization of our everyday lives. Charlie Miller and Chris Valasek’s demonstration of their ability to control the car’s motor management system, remotely cut the brakes or disable the accelerator, and in certain circumstances, turn the steering wheel, all served as a reality check as to what the future of the Internet of Things might hold.

Additionally, the car hack enables surveillance. Currently, the GPS coordinates of a targeted car can be tracked, its speed measured and its route followed. It is not hard to imagine geolocation and other personal information (e.g., contacts from the dashboard) combined with physical hacks to further increase the threat to drivers.

Hackable Cars
While the 2014 Jeep Cherokee was the focus of this particular attack (apparently accomplished by using relatively inexpensive off-the-shelf components connected to a laptop and broadcasting the malicious data), all cars connected to the Internet are vulnerable to varying degrees. Those models with the most computerized functions, and the fewest networks used are the most hackable. For example, if a car’s engine, braking systems , Bluetooth, telematics and radio functions all run on the same network, it can make it easier for an attacker to gain control of the car’s computerized physical operations .

As Miller notes in the Wired article, “When you lose faith that a car will do what you tell it to do, it really changes your whole view of how the thing works.”

As a result of this hack, FIAT/Chrysler issued a recall for 1.4 million cars for a software update. The upgrade must be manually loaded at a car dealer, and cannot be remotely distributed over the Internet.

Physical versus Informational Hacks
While physical security in a hacked car is the predominant issue that comes to mind for clear reasons of immediate potential danger, hackers can also obtain tremendous amounts of data about the car and the driver’s driving style, speed, and locations. This pervasive data collection is likely to be more valuable to hackers in the longer term. As opposed to a hack over the car controls, which may become immediately obvious to the car’s occupants, a data hack may go unnoticed (for years).

Greenberg uses as an example the ability to track vehicle location and destination searches enabled through a car hack, which points to the level of informational detail that may be obtained by hackers. Building up a database from this information allows hackers to determine where a person lives, works, worships and shops. Over time, they can build an understanding of a network of family and friends; and even predict where the driver will go. Other information that can be obtained from a connected car includes biometric data, telephone calls and browsing history.

The legal landscape
In response to growing evidence that vehicle manufacturers are not prepared to protect the networks they increasingly rely on, with potentially fatal consequences for consumers, regulators are evaluating the protections provided by the legal landscape:

• US Senators have introduced the Security and Privacy in Your Car Act of 2015 , which would require the development of privacy and security standards by relevant government agencies.
• In the EU, there are currently no initiatives to pass laws specific to the connected car. Instead, the applicable laws are understood to be the EU Data Protection Directive (soon Regulation) and Telecom Laws. These laws will need to be interpreted in relation to connected cars—for example, assessing whether there should be restrictions on vehicle-to-vehicle data transfer. Recently the Article 29 Working Group, which is composed of EU national Data Protection Authorities, issued an opinion on the Internet of Things, including a reference to connected cars and privacy.

To demonstrate to governments that new regulations are not necessary, car companies are developing industry standards. Two trade groups, the Association of Global Automakers and the Alliance of Automobile Manufacturers, have agreed to a set of privacy-enhancing principles effective in model year 2017.

Whether developing new laws, interpreting existing ones, or relying on industry standards, one thing is clear: customers must be able to trust their connected cars, or the “drivable smartphone” of the future is not going to go very far.

Sarah Pipes, CIPP, CIPT
Senior Advisor and Data Protection Specialist, KPMG in Belgium

Sarah will speak at the 2015 ISACA EuroCACS/ISRM Conference on Privacy Challenges in the Internet of Things, with co-presenter Ronald Koorn, Partner, KPMG in The Netherlands.

[ISACA Now Blog]