Published on Thursday, July 4, 2019 - 16:19 by Camilla Winlo
Cars have always had a certain amount of risk associated with them – speed limits and airbags were invented for a reason, and crashes, breakdowns, unmaintained streets and pedestrian accidents all spring to mind when you think about what could go wrong on the road.
However, usually you don’t look at a moving vehicle and think that’s a data security accident waiting to happen. But this risk may well be the case if your organisation offers connected cars as an employee perk.
These cars are often an overlooked – and huge – security vulnerability.
People share considerable amounts of personal information about themselves and other individuals with their cars, and usually don’t realise the potential consequences of their actions.
It would be less of a challenge if the security measures were anywhere near as advanced as those we use for computers and other connected devices in the workplace, but cybersecurity and data protection practices in cars are not mature.
For example, there is no current consensus on how software and security updates are communicated by the car manufacturer to the car owners, even if they’ve found vulnerabilities in the software. And obsolete software poses a huge risk to a driver’s data security.
According to a February 2019 survey of automotive professionals:
An April 2019 quiz also found low levels of knowledge of automotive data security among drivers. Overall, respondents scored an average of 49%, rising to 53% among owners of connected car owners.
If you want to see if you can beat that average, you can take the quiz yourself here.
This is crazy when you consider how much personal data a smartphone houses, and how much protection is placed on it. But when that smartphone is connected to a car, the car often downloads and stores significant amounts of its personal information.
Messages, emails, contact lists, geolocation and location search history, home addresses and more can all be stored in the on-board computer. This even includes special category personal data that should receive enhanced protection under data protection legislation.
So, whilst this becomes useful when you want to use the handsfree to call someone in your phone’s contacts list, it also means the data is downloaded onto the car’s system. A system which may not have any advanced security measures in place.
With over 125 million connected cars shipments set to take place by 2022, chances are this will become an even more prevalent problem for information security teams.
However, some positive steps are being taken by car manufactures looking to improve their cybersecurity practices. Most notably, Toyota have released PASTA: an open-source testing platform which was designed specifically for hacking cars and helps to test cybersecurity features in modern vehicles. The company also envisages the platform being used for R&D purposes: for example, a manufacturer could test the impact of a third-party component on the car's security.
There are also things information security teams can do now to mitigate some of the risks and ensure data is protected in company cars. These include:
 2019, Synopsys and SAE International, Securing the Modern Vehicle: A Study of Automotive Industry Cybersecurity Practices. The survey of 593 professionals from global automotive manufacturers, suppliers and service providers was conducted by the Ponemon Institute. All respondents were involved in assessing or contributing to the security of automotive technologies.
 2019, CarGurus, Data Security in Connected Cars Pop Quiz. The survey was completed by 1,020 drivers of which 264 owned a connected car. Questions covered general awareness and security best practices.
 2018, Counterpoint Research, Global Connected Car Tracker 2018. The research is based on total shipments estimates based on company’s IR results, vendor polling triangulated with sell-through (sales), supply chain checks and secondary research.