Skoda and Volkswagen are the latest vehicle manufacturers that have had vulnerabilities discovered in their cars that could allow malicious actors to execute code remotely. The exploits can range from tracking GPS coordinates and speed data to recording conversations in the car via the in-cabin microphone and, if skilled enough, even control functions such as stopping and starting the vehicle. These incidents confirm that security vulnerabilities with connected vehicles are ongoing.
In my recent connected vehicle security report, I discuss how modern cars are just a rolling network of internet-of-things devices connected through a gateway to the internet to communicate with the vehicle manufacturer. Depending on the car’s age, the car’s internal components can be brand-new (likely meaning that security considerations went into the programming) or a decade-plus old, so there’s no telling how many security vulnerabilities are inside a given vehicle. Along with that, modern conveniences like mobile apps for the infotainment system or remote start/stop allow owners to interact remotely with the vehicle through the internet, and like all internet-connected devices, hackers just love to discover new vulnerabilities that give them control of a device or vehicle, giving new meaning to the term “crashing the computer.”
The other issue with modern connected cars is that they collect a lot of data, from the car itself as well as from the devices connected to it. In 2023, a federal judge in the US ruled in a class-action suit that vehicle manufacturers have a right to use the data they collect from the car they sold you, including the phone logs and text messages you send through the infotainment system. This is a serious privacy issue, but considering that many employees will connect their business or personal smartphones to their car, or to a rental, this now means that business data can be collected by these cars, shared with the manufacturer, and the automaker is then free to use that data as they see fit. If that doesn’t concern you enough, Ford is now seeking a patent to record conversations that happen within its vehicles in order to serve you ads. Ads within a browser on your PC are bad enough, but in a car? This would mean that Ford (and possibly other automakers) could have access to any conversation you have in your car, which could potentially compromise business secrets or even national security secrets.
So what can be done about this? From a technological perspective, not much. Yes, as a business leader, you can utilize unified endpoint management solutions to gain better control of the mobile devices that are used for business within your enterprise and mobile threat defense offerings to secure this endpoint. But once that device is communicating with the connected car, you have little control over what info is shared with the car, outside of just not allowing that to happen. From a business policy perspective, you need to institute policies that inform employees about how certain vehicles (especially newer ones) could be collecting business data and how to mitigate those risks. This is the same as existing policies that many organizations have implemented to educate employees on proper BYOD usage, such as not connecting to open Wi-Fi at the coffee shop.
There are a lot of privacy risks with modern cars, and more people are becoming aware of them. If you are interested in discussing how to improve the security posture of your connected vehicles, reach out and schedule an inquiry or guidance session with me today.