Most of the issues are technical in nature, but there is one very important social issue too: who will work on these vehicles and whether they will be careful with that data. As technicians and workshop managers/owners, we are being entrusted with customers’ personal data, so should have appropriate systems on place. In the same way that most of us now store considerable amounts of personal information on our smartphones, some cars already hold information such as:
- Address books – who you know
- GPS data – where you go
- Banking – what you spend
- Social media – everything you do and who you know
- Emails – who you work with and their personal details.
Many vehicles are already connected to some extent, either through their own onboard cellular SIM card or via a USB or Bluetooth-connected mobile phone. Few vehicles communicate directly with each other at present, but this will change over the next few years.
Terminology
Vehicle to vehicle (V2V) communication opens up the possibility of tele-operated driving (remote control) and cooperative manoeuvres. Data collected from vehicle cameras can be collated to create maps that include real-time updates about accidents and temporary roadworks.
Vehicle-to-grid (V2G) technology allows electric vehicle (EV) batteries to store energy and then discharge it back to the electricity network when it’s most needed, perhaps during times of peak demand such as early evening. During this time, a small amount of energy is taken from connected vehicle batteries and then returned during times of lower demand, such as overnight.
Vehicle to everything (V2X) is starting out using 4G links, but the transition to 5G’s higher bandwidth capabilities will facilitate the extensive communications needed for autonomy and other features and functions.
How to hack a vehicle!
The interconnectivity of current and future vehicles makes them potential targets for attack. Connectivity opens vehicle systems to the dark side of the Internet, forcing vehicle manufacturers to develop strategies to ensure that they don’t join the litany of corporations hit by hacking attacks.
As more systems on vehicles connect to the outside world by radio waves of some sort, more opportunities are presented to hackers. Manufacturers are working hard to reduce the chances of this happening and are helped in this effort by what can be described as ethical hackers. Table 1 below lists some attack vectors, methods and potential consequences.
Table 1: Attack vectors, methods and example consequences
Vector | Methods | Example consequences |
OBD DLC | Custom software connected to the port | Engine stopped and brakes disabled |
Wi-Fi | Using a ‘packet sniffer’ is a common way to attack Wi-Fi | Disabling of the car alarm |
Cellular network | Infotainment system hack | Brakes disabled |
Mobile apps | Many vehicles already have apps, and these can be modified | Locks, lights or sunroof activated while driving |
Internet | ‘Normal’ hacking methods where programmes such as WannaCry are implanted | Factory production stopped and user details stolen from data centres |
Electric charging points | Connection plug or wirelessly | ID card numbers stolen and funds redirected |
Application programming interface (API)
An application programming interface (API) is the software that enables applications to talk to each other. They play a key role in security because they are used to control access to devices and software functions. For example, if you use a scanner with a dongle that connects to the DLC, then you are using an API that allows the software on your computer to talk to the vehicle. Another way to describe an APIs is that they are the hooks that allow vehicle applications to interact with other apps.
Because of the role of APIs, they are the main focus for attack. BMW recently announced that they would upsell access to heated seats via software. The signal to switch on this feature, as well as many other things, is sent over the air and via an API on the vehicle. It was apparently hacked after just a few days!
Summary
Electronic data communication or storage of any sort is inherently vulnerable to attack, particularly when wireless. Technical solutions are available, but if not implemented properly, they are worthless. Technicians and workshop managers/owners entrusted with customers’ data will need to follow all the relevant guidelines carefully to ensure:
- Systems are updated and secure
- Customer data is treated with respect and is secure
- Manufacturers guidance is always followed.