6 Questions to Ask While Buying a Connected Car
Here are six questions to keep in mind when you walk into the showroom to buy a networked car.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt345e0be24ea450a0/64f0d4e03d73a3cfdd614ec1/Slide_1_CoverArt.jpeg?width=700&auto=webp&quality=80&disable=upscale)
Car manufacturers are quickly moving to a time when autos will be mostly, if not fully, autonomous. Meanwhile, new cars are packed with Bluetooth, cellular gateways, and Wi-Fi connectivity — which means they are open to security vulnerabilities.
In putting together this story, we talked to several experts who follow developments regarding the connected car, and just about all of them say there's still a lot in flux.
"There not a salesperson in a showroom anywhere who could answer even basic security questions," says Steve Hoffenberg, director of Internet of Things (IoT) and embedded technology at VDC Research. "But that doesn't mean consumers shouldn't be asking questions about security."
"People need to ask the car companies where they stand on security," says Kayne McGladrey, director of security and IT at Pensar Development and an IEEE member, who cites companies such as Apple and Google, which have made strong public statements on these matters.
When asked if the car companies have followed suit, McGladrey says, "Not really."
So, what are consumers to do? Security pros may know more about what to ask for, but there are thousands, even millions, of consumers who simply don't know where to start. Read these six tips to get an idea of what you should be thinking about when you step into that showroom and the salespeople start selling you on a connected car.
Steve Hoffenberg, director of IoT and embedded technology at VDC Research, says the vehicle manufacturer has to ensure that a hacker can't go through the IVI system to other more critical parts of the car, such as the brake system or the engine. Typically, the cellular gateways installed in most connected cars have a firewall capability today. The basic question consumers should ask is how the manufacturer separates the IVI system so the car won't stop suddenly when the car is going 60 miles per hour on the highway.
Symantec's Agarwal says once the car has access to the Internet, the risk profile is raised. In some connected cars today, drivers can access a browser, but it's not fully functional and, to limit exposure to malware, there's no flash video. Consumers also should ask which devices they can connect to the car's network. Can they only use their phones? Or can they connect the car to a tablet or laptop computer?
Another important question: Does the car pick up local Wi-Fi networks when it stops at different restaurants, coffee shops, and buildings? If drivers decide to use local Wi-Fi, Agarwal says they must be very sure that the sites are legitimate and aren't malicious sites that can inject malware into the car's control system. Check the URLs to make sure they are spelled properly and don't have any funky domains.
David Barzilai, executive chairman and co-founder of Karamba Security, says consumers should also ask if they can block the connectivity in the car if they don't want the car to have that network connection. Also, assuming the driver will use the connectivity, if there's a suspected attack, how will the driver be informed of the breach?
Symantec's Agarwal says some questions around remotely controlling the car include the following: Can I start it up? Heat it up? Cool it down? Open the trunk? And, more important, what do I need to do to gain access? Is there only a username and password? Or is there some kind of two-factor authentication in which an SMS text gets sent to my phone?
VDC's Hoffenberg also points out that consumers should ask what kind of technology sits between the key and the vehicle. There are hackers who can intercept key signals to gain access and start up vehicles. Consumers should ask if the manufacturer has a way to encrypt the key signals so they can't get intercepted.
VDC's Hoffenberg says consumers should ask how the manufacturer plans to protect their data in the event of a breach in the cloud. What kind of security policies and protections does it have in the event of a breach? Consumers also must think about privacy. Can consumers opt out of having some of their data shared with third parties? Typically, manufacturers say they will only share data with "authorized" third parties. But what are those authorized third parties? Consumers have a right to know which companies get to see their data. Are they advertisers? Local dealers? Or are consumers only being asked to share information about the functionality of the car so they can improve the manufacturer's products? You have the right to ask questions about what the carmaker does with your data.
VDC's Hoffenberg admits this is one thing most people wouldn't think of, but there have been cases in which hackers have compromised important safety features in the car by going through the OBD-II system. For example, this could happen when a valet has a free moment with your car while parking the vehicle. The OBD-II systems generally are used by mechanics at dealers and garages to diagnose engine problems and are largely not protected by security controls. Ask the car dealer if the manufacturer has installed a firewall service to monitor attacks on the OBD-II system. That ought to make the salesperson's day!
VDC's Hoffenberg admits this is one thing most people wouldn't think of, but there have been cases in which hackers have compromised important safety features in the car by going through the OBD-II system. For example, this could happen when a valet has a free moment with your car while parking the vehicle. The OBD-II systems generally are used by mechanics at dealers and garages to diagnose engine problems and are largely not protected by security controls. Ask the car dealer if the manufacturer has installed a firewall service to monitor attacks on the OBD-II system. That ought to make the salesperson's day!
Car manufacturers are quickly moving to a time when autos will be mostly, if not fully, autonomous. Meanwhile, new cars are packed with Bluetooth, cellular gateways, and Wi-Fi connectivity — which means they are open to security vulnerabilities.
In putting together this story, we talked to several experts who follow developments regarding the connected car, and just about all of them say there's still a lot in flux.
"There not a salesperson in a showroom anywhere who could answer even basic security questions," says Steve Hoffenberg, director of Internet of Things (IoT) and embedded technology at VDC Research. "But that doesn't mean consumers shouldn't be asking questions about security."
"People need to ask the car companies where they stand on security," says Kayne McGladrey, director of security and IT at Pensar Development and an IEEE member, who cites companies such as Apple and Google, which have made strong public statements on these matters.
When asked if the car companies have followed suit, McGladrey says, "Not really."
So, what are consumers to do? Security pros may know more about what to ask for, but there are thousands, even millions, of consumers who simply don't know where to start. Read these six tips to get an idea of what you should be thinking about when you step into that showroom and the salespeople start selling you on a connected car.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024