Your New Car May Connect You to Greater Cyber-Risk

NEWS ANALYSIS: There's no question that having your car connected to a world of data is convenient and sometimes lifesaving, but with those benefits comes increased security risk.

Connected Car Risk 2

I sat in front of the fire in my fireplace, and opened the heavy leather parcel I'd removed from my car. I'd purchased the car only the day before, and while I knew there were some technology improvements over the vehicle I'd gotten rid of, I wasn't quite prepared for just how much things have changed in only a few years.

Inside the package was a series of manuals, one of which was an inch thick and devoted to something Mercedes Benz calls COMAND—yes, that's how it's spelled.

I leafed through the pages and found myself reading about real-time weather maps, complete with satellite and radar imagery. I could read current restaurant reviews from Yelp. And if I called the right number, I could have the company unlock my car or even send help if I crashed. These are some powerful new capabilities that I hadn't realized existed, at least to the level they'd obviously reached.

Then I thought about my wife's car, also of German design and recalled that it had similar capabilities, and in her case, they even included the ability to remotely program the navigation.

But these capabilities weren't unique to German cars, or even cars from Europe. As recent news reports have revealed, cars of American, Japanese and Italian design have similar connectivity features and they bring similar cyber-security risks—some have significant exposures beyond what we normally hear about.

"The Nissan Leaf only requires its VIN [vehicle identification number] for authentication," said Craig Young, a security researcher at Tripwire. Young noted that the VIN is visible from outside the car so that anyone can find it, and if they have the mobile app for the Leaf, can use it to control some features of the car.

Young said that for someone to break into a Leaf, the car first has to have the mobile application set up, but once that is done, anyone can send requests to the car or view information about it. "The controls are just the air conditioning," he said. However, "you can also read information, including charging status, the user name of the owner, battery condition, all the trips, the times they're driven and the efficiency of the drives."

Young said that it would be really easy to use the information from the Leaf to determine when the owner is likely not to be home. He also said that while you couldn't drive the car, you could turn on the air conditioning and run the battery down so that the driver would be stranded.

It's an example of dealing with security on the Internet of things. "Cars are large Internet of things devices," said Craig Smith, author of the soon to be published "The Car Hackers Handbook," in which he describes how to find vulnerabilities and understand how the data systems and data networks in cars operate. Smith said that he's been working with auto makers for years helping to close their vulnerability gaps.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...