Data and technology that power vehicles now and into the future must be protected from misuse, abuse and malicious mayhem.
That was the consensus of panelists, speakers and others who attended cybersecurity sessions held as part of TU-Automotive Detroit’s automotive technology conference and exhibition in suburban Detroit, June 5-6.
TU-Automotive Detroit provides a platform for thought leaders to present technology advancements and ideas that promise to make autonomous and connected vehicles part of our everyday lives in the not-so-distant future.
At stake is the safety and security of data and technology that turn vehicles into rolling smart phones and will eventually enable the delivery of packages, pizzas and people in autonomous vehicles in the future.
Curtailing crashes and reducing rush hour gridlock by allowing vehicles to “talk” to each other and traffic signals is on the mobility to-do list of the future, too.
That makes vehicle cybersecurity and safety everybody’s business, many conference goers agreed.
Serious about cybersecurity
“I don’t care whether you’re in product development, you’re in the aftermarket, you’re in remarketing, you’re in rental cars, (cybersecurity is) everyone’s responsibility; everyone must take it seriously, and we have to work together,” said Faye Francy, executive director of the Automotive Information Sharing and Analysis Center, an industry-driven community that shares and analyzes intelligence about emerging cybersecurity risks to vehicles.
Francy participated on the panel: “How Can Fleet Owners and Car-sharing Services Stay One-Step Ahead of Identity Theft?”
“The bad guys work together so much better than we do. They have no lawyers, they have no structure and they don’t have a lot of money, either. We have to learn as an industry, we don’t compete on this subject, rather we collaborate on it. That’s the only way we’re going to build resiliency across the whole industry.”
On the panel with Francy was Tim Cavanaugh, global product marketing business development director at Cavanaugh Consulting, who counts large commercial fleet companies among its client base.
Cavanaugh said commercial fleet companies, especially those whose businesses involve delivering things such as pizzas, groceries and packages, are prime candidates to become early adopters of autonomous cars and automated vehicles that have neither steering wheels nor brakes.
The companies he has spoken with fall into one of two camps:
Those that would buy the vehicles and won’t worry about cybersecurity unless their data gets hacked, and those who will not purchase the vehicles until they are certified by an organization akin to Underwriters Laboratories.
Cavanaugh said commercial fleet companies believe the responsibility for cybersecurity rests with auto manufacturers.
“They’re throwing the liability and responsibility back on the OEMs,” said Cavanaugh, during a sideline interview. His consultancy helps companies around the world that want to engage in technology ventures with auto companies.
“The OEMs have been self-regulated for years, and they don’t want any product liability suits coming back on them, so they are trying to be as responsible as possible with anything related to cybersecurity.”
Unlocked, unencrypted, ready to roll
With the threat of identity theft on the rise, protecting consumers’ personally identifiable information, such as name, home address, Social Security number, credit card information and telephone numbers is vital, said those at the conference.
Among the ways consumer data can be compromised is when they sync their smartphones with Bluetooth technology in vehicles they own, lease or rent.
The connection copies users’ name, list, text messages, music preferences and other personal information, turning vehicles into rolling smartphones that are unlocked and unencrypted, said Andrea Amico, founder of Privacy4Cars, an app designed to delete personally identifiable information from vehicles.
The vehicle smartphone pairing exposes consumers’ personal information to anyone who comes in with the vehicle such as its next owner, its next renter, persons who handle it at a dealership, an auction or a rental car company and of course, hackers, Amico said.
People who think their cars are places of privacy and freedom, should think again, he added.
“It’s a private space where they feel safe and secure; it’s hard to change the minds of people, because that is the mental image we have of cars,” said Amico, who attended the conference.
Tasha McCall, director of security and fraud product management at First Data, a financial services company, said easy access to personal information from consumers’ vehicles make it easy for identity thieves to use “bits and pieces” of personal information, such as Social Security numbers, to create individuals that do not exist — known as “synthetic” identities — that make fraudulent purchases and loans in the victims’ names.
Brands and reputations suffer
Not only does such identity theft wreak havoc for a victim, it can damage the brand and reputation of companies that fail to protect that data, McCall said during the panel discussion: “Privacy and Consent – What are the New Requirements for Data Security.”
Both Amico and McCall said consumers should be reminded to delete their personal information from a vehicle at the end of ownership, a lease or a rental agreement.
Or the entity that takes possession of the vehicle, such as a dealership or rental car company, should do it for them, they said.
But in January 2020, when the California Consumer Privacy Act and the California Security of Connected Devices Act, go into effect, at least some legal responsibility for protecting that data could be shifted to those who buy, sell and handle used vehicles.
The California Consumer Privacy Act gives consumers the right to know what personal information businesses collect about them, how the information is used, and to request their information be deleted; The California Security of Connected Devices Act requires manufacturers of internet connected devices to equip the devices with security features to protect data from unauthorized access and use. Protecting consumers’ personal data will require “greater effort from everybody,” Amico said.
A risky ride
Also at serious risk is the vehicle itself.
That’s according to Clifford Liem, technology director, connected transport at Irdeto, a digital platform security company and who participated on the panel: “V2V and V2I The Misbehavior of Detection.”
V2V or vehicle-to-vehicle communication and V2I or vehicle-to-infrastructure communication allow vehicles to “talk” to each other and traffic signals to improve traffic safety and flow.
“That’s the big promise of our new connected world, that everything talks to everything, and we’ll have less problems,” Liem said during a sideline interview.
“But, when we bring security into that all bets are off. Once we get a malicious actor in there — they might be doing it for financial gain; there are all kinds of possibilities.”
The industry is already seeing malicious attacks on digital key systems and attacks on telematics units that “talk” to the internet, he said.
Protecting vehicle technology is a cat-and-mouse game that will continue for years, Liem predicted.
“Will you ever say the lock on your front door is good enough? Someone will find a way through it, and your windows are open,” he said. “When will you have enough security around your house?
“It’s the same thing when you’re talking about your car. We can put in place the things that we need, but once you get very, very clever attackers, it can be a very difficult thing.”