[Reading Time - 3 minutes 53 seconds]
Anyone who has driven a car built in the last few years knows that these cars are dramatically different from those built just six or more years ago. The huge difference is based on the enhanced electronics that are found in today's cars. A suite of driver-assistive technology systems is designed to "warn, prevent, and mitigate incidents and collisions on the road." Even the standard equipment on new model cars often include the following features that were unthinkable just a few years ago:
In addition, the sound systems in today's cars boast features like auxiliary audio input, MP3 players, and satellite radio. And information is provided to the driver and passengers through navigation systems, hands-free communications systems, and wireless cell phone hookups.
But with all of these enhancements come the questions about the privacy and security of the data.
First, the privacy. A car's infotainment system contains not only our personal information (name, cell phone numbers, satellite radio codes, etc.) but also data about where we have driven. What happens to this information when we no longer own the car?
Tesla owners were surprised yesterday (Mar 29 2019) to learn that their data is not encrypted or wiped clean when the car leaves the owner. The security researchers GreenTheOnly and Theo found that huge amounts of data are left behind in Teslas. These researchers bought a wrecked Tesla Model 3 to evaluate the data that remains in the car’s computers after a crash. They found from the data inside the Tesla systems that it was owned by a construction company in Boston area and was used by its employees. A little more digging in the car's memory found that the car’s computers had stored data from at least 17 different devices, and none of the data was not encrypted. Mobile phones or tablets had paired to the car 170 times, and the car held 11 phonebooks’ worth of contact information from drivers or passengers who had paired their devices, along with calendar entries with descriptions of planned appointments and even e-mail addresses of those invited to the appointments. It also showed the drivers’ last 73 navigation locations including residential addresses, a country club, and local restaurants and businesses.
Because this particular Tesla was involved in a crash, the security researchers looked to see what they could find out about the crash from the Tesla. They were able to extract video from the car that shows it speeding out of the right lane into the trees off the left side of a dark two-lane road. The GPS and vehicle data showed that that the accident happened in Orleans, Massachusetts, on Namequoit Road, at 11:15 pm on August 11, and was severe enough that the airbags deployed. Yet moments before the crash the incoming call logs indicated that someone had called the driver of the Tesla.
So, now the questions about the privacy of this data. Obviously, it is not encrypted or wiped out when the car changes hands, in a Tesla or in another brand. But is this data being uploaded--and to whom? If so, how is it then used? Do insurance companies get to look at it to determine who is at fault in an accident? And how is this data then protected?
(And a reminder for the upcoming vacation season: if you pair your phone while using a rental car be sure to delete it when you return the car. Go to system settings, or the Bluetooth setup menu, and delete your device from the paired phones list. Or, select the factory reset option in the menu).
But that's not all.
Tesla has pioneered the ability to fix their cars through a patch distributed over the air (OTA) to their cars. In mid-May 2018 Consumer Reports downgraded Teslas to "Not Recommended" due in part to the long stopping distances of a Tesla. Yet nine days later Consumer Reports changed its review to "Recommended." Why? It's because in one weekend Tesla pushed out an OTA update that changed the calibration of the vehicle’s antilock braking algorithm to reduce the car's stopping distance by 19 feet at 60 MPH.
In fact, over the last six years Tesla has sent 40 patches through 3G or Wi-Fi networks to their cars. Tesla even pushed out a wireless patch to Tesla cars that were in the path of last year's Hurricane Irma so that they could drive farther than normal on a single charge in order to help the drivers flee the path of the hurricane.
(Interestingly, in Sweden they are very concerned about Tesla OTA updates. That's because all cars sold there, as in the U.S., are required to be tested and certified by authorities before receiving approval to be sold. The question being asked is this: do OTA updates change the configuration of the Teslas to the extent that they must be re-tested before being allowed to be driven?).
But just like the Tesla's infotainment system was hacked last month, could the OTA updates also be hacked, allowing someone to take over control of a Tesla? Tesla does not say how its OTA updates are protected--if they even are protected.
And the other car makers are not far behind in this race. General Motors will introduce its first fully updatable car later this year and will expand that feature to all its cars. Ford will offer OTA updates on a new electric car scheduled to go on sale next year. The research firm IHS Markit says that last year there were 500,000 cars that could receive OTA updates. By 2025 there will be 35 million such cars. What security will be in place? According to the President of GM, "We're not going to do this without highly thought-out cybersecurity measures, which I'm not sure gets enough attention." But will they wait until strong security is in place? Or will they release something--after all, they are in a race with other car companies--and hope that any vulnerabilities will be fixed before the bad guys find them?
Car companies face questions about the privacy and security of our car's data. They should do something now about protecting our data before it's too late.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.