Word on the street is that data is what keeps the wheels turning now.
Just like smartphones, connected cars do a great job at tracking and collecting stats. But if you think this is strictly about the vehicle, you’re a bit far from the truth.
The same cameras that detect if a driver is paying attention to the road are also a rich video source from inside the car. And that’s not the epitome of privacy.
Promoting safety is huge in car marketing campaigns. But would you let a manufacturer hear and record your conversations in the name of safety?
Let’s delve more into the troubling details your car reveals about you.
Cars collect a lot of information
Connected cars are vehicles equipped with internet connectivity. This enables them to access data, send data, download software, communicate with IoT devices, and provide Wi-Fi to passengers.
Most connected car owners have no idea how much information is being collected and sent back to the manufacturer. And we’re talking about a lot of information since a smart car connects to more servers than a smartphone.
In 2020, most US car manufacturers had integrated onboard computers that are always connected to the internet, a feature with no opting out. And around 80% of new vehicles use wireless technology to transmit data in real-time back to the manufacturer.
Plus, the infotainment system, AKA the car entertainment and information functions such as GPS, Wi-Fi, Bluetooth, radio, and multimedia support, record and keep track of all the data the same way Amazon’s Alexa and Google Home record personal conversations.
Here is what the infotainment system records:
- Car logs
- Contact lists
- Text messages
- Photos and videos
- Voice commands
- Social media feeds
Many cars also have event data recorders (EDRs). They capture a range of information right before or during a crash event.
You should have access to and control your car’s data. Yet, in reality, you can’t see or delete it. What’s even more worrisome, you don’t have control over the destination of all this data. And it could end up anywhere!
For example, a security researcher reported about buying old infotainment systems online. He found personal information such as the home addresses and Wi-Fi passwords of the previous owners.
Car computers can turn into digital forensics evidence
The precious information that infotainment systems provide can become treasure troves of digital evidence. And in the US, law enforcement officers realized the massive potential of these systems and have been using them to solve cases.
One example is Joshua Wessel’s. He was charged with murder because the victim’s truck had a recording of his voice at the time of the killing. The case is open, as Wessel pleaded not guilty and is awaiting trial.
Most people are aware of the fact that phones collect piles of data. But few realize how much data cars gather once they have a phone synced with the infotainment system. Based on a warrant, investigators can access text messages, calls, and files way easier than they could from a cellphone.
Along with data from the infotainment system, detectives use the telematics system. Similar to a black box for cars, it collects information on:
- Turn by turn navigation
- Acceleration and deceleration
- Lights (if on or off)
- Doors (if open or closed)
- If seat belts were put on
- If airbags were deployed
All this information allows investigators to reconstruct a driver’s journey in detail.
The EDPB guidelines on #privacy issues relating to connected cars extend the provisions of the #ePrivacy directive to in-vehicle devices with the consequence that for instance #telematics #insurance policies shall ask consent to access to black box data https://t.co/1uyEPABcuv pic.twitter.com/eligGdztd9— Giulio Coraggio (@GiulioCoraggio) February 21, 2020
With the help of Berla Corp., a Maryland-based technology company, law enforcement officers from several US states can access the systems of over 80 car models. They don’t just use it in homicide cases. For officers across Michigan state, it has become a routine check for misdemeanors.
Berla Corp.’s software reads the unique IDs of Bluetooth and Wi-Fi devices that have connected to a car’s infotainment system. Additionally, it looks at the logs kept by the car’s internal computer. These logs show when specific doors are opened and provide a location log from its built-in GPS.
According to Berla Corp.’s founder, digital vehicle forensics helps find crime suspects or prove they are innocent.
Still, an Australian case proved that easy access to a car’s infotainment system could help commit crimes as well. A man stalked his ex-girlfriend using an app that connected to her car and sent him live information about her movements. The app also allowed him to remotely start and stop her vehicle and open and close the windows.
We need more car privacy laws
In the European Union, the General Data Protection Regulation pushes the principles of privacy by design. It’s an important regulation that could also inspire car manufacturers. Technology design and safety systems should cover privacy elements and evaluate if data subjects’ rights are protected.
For example, if a safety function helps drivers avoid collisions with other road users, that function must reliably detect cyclists or pedestrians. However, it doesn’t have to be able to identify a pedestrian personally.
According to The Driver Privacy Act of 2015, consumer’s personal identifying information should be protected. But privacy protection refers to the data recorded and stored on the onboard computer.
Here’s a deeper insight from Alex Hamerstone, information security specialist:
It seems as though everything in our lives is now becoming connected, from washing machines to refrigerators, and to cars. While there are security and privacy concerns with any connected device, cars can be more worrisome because your car knows where you are. Most modern cars have ways to record the performance of the vehicle, and this can include a lot of information that could be valuable to auto insurance companies. Drivers who don’t follow posted speed limits or who accelerate rapidly may be concerned that information will find its way to their insurance company and affect their insurance rates. A simple privacy issue that users should be aware of is when they connect their phone to a car they don’t own, such as a rental car. When renting a car, be sure to delete your contacts from the car before returning it. Better yet, don’t connect your phone to the rental car’s entertainment system. One can imagine a world where cars display advertisements based on where the car is located. If someone is on a route passing a particular fuel station or restaurant, the car could display or play an ad for those. The important thing for consumers is to make sure they read any agreements they accept either when buying a car or driving one. These agreements should contain information about what data is collected, with whom that data is shared, how it is stored, and what it is used for.
Alex Hamerstone | TrustedSec The technology security consultants and researchers at TrustedSec are the best in the infosec world.
Get to know Alex Hamerstone here.
No federal law currently regulates data collected by other computers in an automobile, including the infotainment system.
Keep prying eyes away from your car
Automakers have plenty of experience with making cars safer, particularly in the event of a crash. But they are still at the beginning of the road when it comes to making cars digitally secure.
Yet, even carmakers are aware that consumers today are more concerned about privacy than ever before. That is why some cars come with comprehensive privacy policies, disclosing what data they collect about you and your vehicle, how it is used, and with whom it is shared.
If you want to go the extra mile in terms of privacy, make sure you use a VPN on your phone, especially if you use it to remotely control your car.
Do you believe we can have car safety systems AND privacy?
Let me know in the comments section below!