As Forrester has reported, IoT devices are more exposed to cyberattacks, requiring security leaders to address the security vulnerabilities in this wide array of devices deployed across their organization. One area that many security professionals continue to overlook is the simple car, which to be honest is no longer so simple. Unlike the Volkswagen Type 1, affectionately known as the Beetle, which was little more than an engine, 4 wheels, a body, some seats, and a steering wheel , most cars on the road today are roving networks of computer devices that may be sharing real time information with each other with the whole vehicle connected to the Internet.
Unfortunately, like many other IoT devices until recently, the security of the connected computer devices within cars was an afterthought. Even newer vehicles are susceptible to hacking because securing these components or the backend systems supporting them has been not a top priority for auto makers.
Okay, you say, I get it, the car can be hacked and maybe someone could break in and steal my car. But, what does this have to do with my organization’s security?
Where do you drive your car? Not only can the vehicles themselves be hacked into locally or remotely, but the data stored in that car or at the manufacturer could be stolen to track your movements. This could allow an attacker to develop a profile of a high value target for a targeted attack. Or the auto maker themselves could be sharing that information with 3rd parties, who for a price, could get detailed information about where you go and what you do. What time you leave your house, when you usually stop at the gym, where you usually park at the office, how often you leave the office for lunch, do you usually stop at the grocery store on Wednesday or Thursday, and so forth.
Do you conduct business while in your car? Phone call logs and hands-free messages that are sent through your car are recorded by the vehicle and sent to the manufacturer, who at least in the US can do what they wish with that data. Some auto makers, whose vehicles record information about drivers in and around the car have even had employees accessing these recordings without any level of control. And what about when travelling? Do you use your work phone in the rental car? The same issue with your messages and call logs being collected applies to rental cars and if you don’t clear your phone information before returning the rental car, that info is left on the infotainment system and could allow the next person to rent the car or a malicious actor to collect this information.
As organizations implement more security controls on existing application, data resources, and devices, attackers are looking for the next target of opportunity and the incredible lax security that is found in most cars means this is a new vector of potential compromise. Forrester’s recent report in the connected vehicle space, Digital Smash And Grabs: The Challenges With Securing Connected Vehicles, discusses this more in depth and provides some guidance on how you can start addressing these vulnerabilities. At a higher level we need to demand more security and accountability from the auto makers themselves to respect our privacy and protect these rolling computer networks.
For Forrester customers, please reach out to schedule an inquiry or guidance session with me to understand and address any concerns you have about connected vehicles and their impact on your organization.
