Car companies must gaze with envy at Apple in the midst of its current confrontation with the Federal Bureau of Investigation in the U.S. over access to data on the iPhone of a terrorist. If only, they must say, if only we had Apple-like security for our cars.
By and large, when law enforcement agencies around the world need or want to extract data from a car they simply tear it apart, open it up and download it. The car maker very likely won’t even get a courtesy call.
Driving history, recent destinations, recent phone numbers called, contacts, you name it. If the driver or passengers paired their phones with the car, it’s all in there. One can only assume that the authorities have already torn apart the car owned by the shooters in San Bernadino, Syed Rizwan Farook and Tashfeen Malik. But the episode highlights the vast gulf that exists between handset security and automotive security.
For the most part, car companies concerned with vehicle security are focused on defeating thieves who are focused on stealing, spoofing or amplifying and redirecting wireless signals from keyfobs. Very little effort has been extended to the security hygiene of the connected systems inside the cars.
You can’t blame the car companies, really. With the requirement to keep the on-board diagnostic port open and available it almost seems pointless to try to secure the rest of the car. But car companies are trying. They must.
But imagine cars being so secure that investigators would have to ask permission to extract data. Today, a cottage industry is rapidly emerging around hacking cars – all over the world. Only it’s not called hacking. It’s called “reverse engineering.”
People reverse engineer cars for sport and the more they do the easier it seems to get and the less time seems to be required. Car companies are moving to create gateways to seal off the OBDII ports and to explore the creation of separate high speed CANbus networks. But these efforts are taking time and even if successful, the vulnerability of cars is likely to persist.
It hasn’t been that big of a concern before now. Cars weren’t gathering much data in the past. But now cars are building contextual information around driving history, vehicle performance, and personal information as connected cars and smartphones exchange and fuse multiple data sources and connected systems are used to manage customer relationships.
In the end, the iPhone itself may remain secure, but the car will become a four-wheeled snitch for the guilty and innocent alike. The most obvious example of this vulnerability and sloppiness in the automotive industry is the rental car with the previous driver’s call record in the head unit. As a first step toward establishing some half decent security hygiene, car makers need to start erasing smartphone data after the phones are disconnected.
But better disclosure and opt in procedures are needed along with explanations at the point of sale. Of course, the less information that is gathered from the customer in the first place, the better. But cars themselves will soon be scanning their surroundings and even scanning drivers and passengers with cameras in the cabin. Will this data be uploaded or discarded? Hard to say – the industry has yet to define a consistent policy.
And until the industry confronts its vulnerability in a forthright manner, pledges and promises to adhere to government guidelines are meaningless. While everyone is looking for Apple to make a car, maybe the automotive industry ought to look into what it takes to make an iPhone. It seems we have a lot to learn.