Connected cars: a cyber-security nightmare on wheels

The reasons to avoid connected cars

Self driving car

The very thought of driving in an internet-enabled vehicle, let alone the type of robot cars that Google and others are now contemplating, sends a shiver up my spine. This is not exclusively a product of the types of dystopian sci-fi I read and watched growing up. It is anxiety born out of knowledge about the vulnerabilities which such vehicles already have, and the ways in which they can be exploited.

Make no mistake – we are not talking about the far off future. Virtually every modern car has at least some computing capacity aboard, but the latest generation, including a fair number which are already on the streets, go a good deal further than just the ECU (engine control unit) which monitors and can control such core features as engine speed and temperature, ABS braking and security.

Many cars have relatively sophisticated entertainment systems, which can include the capability of wirelessly streaming audio or video from a portable device in the car, or even from the user's home network. Navigation systems too are increasingly powered by very sophisticated computers which are capable of connecting out in order to get up to date traffic information, and again routes calculated at home, or on the increasingly ubiquitous smartphone that the driver is likely to be carrying.

Wi-Fi worries

As with so many items that are starting to be provided with internet or Wi-Fi functionality as part of the burgeoning "internet of things", such connectivity immediately presents a considerable risk. Cars have for years been fitted with Bluetooth, the relative insecurity of which is offset to some extent by its very short range.

Now, though, cars are starting to be supplied with the option of an installed Wi-Fi router. The range on these is significantly greater, particularly when security protocols such as WPA are disabled, as so many home users already do. Indeed recent surveys suggest that only about three-fifths of home users configure appropriate security on their home Wi-Fi networks, which means a significant number of homes (and by extension vehicles) are without any, or any adequate, protection.

This becomes even more important when you realise that each of these sophisticated and powerful computing devices installed within your car is not an island. In addition to the varied connections to the outside world, there are also any number of internal connections. There may frequently be no firewall between an internet connected entertainment system, for example, and the car's navigation or ECU.

As recent lab-based research by hackers has shown, this opens up the possibility that if any one vulnerability in a car's electronic network is compromised, hackers could gain control over the whole, which might include the ability to control speed remotely, alter navigation information or even disable the brakes (or cause them to activate while the vehicle is at high speed).

Moreover, unlike a home computer or router which is always connected to the internet, and therefore likely to be receiving updates and patches, it is highly likely that the same hardware and core operating systems will remain largely unmodified in a road vehicle for its entire life, meaning that once vulnerabilities are detected they are likely to remain unaddressed for a significant period of time.

Privacy rights

Even beyond the rather more exotic concerns outlined above, connected vehicles present plenty of risks for the everyday consumer concerned about the security of their personal information and their privacy. Access to a car's connected systems can reveal regularly used routes from the satnav, and almost certainly the car's home address. One can imagine scenarios where access to the computers of vehicles left in long-term parking at an airport, or on a ferry, would yield the home addresses of people likely to be on holiday (and whose properties might therefore be targeted by burglars).