Recently, the Black Hat Briefings and DEF CON Hacking Conference both took place in Las Vegas, Nevada. Both annual conferences bring together different sector leaders to discuss emerging cybersecurity issues. Over the coming weeks, Accellis will dive deeper into conference findings and how new insights will affect the cybersecurity landscape.
It is becoming more of a norm for cars to include Bluetooth, automatic headlights, touch screen radios, and even able to “self-drive”. As technology use increases, car manufacturers are doing their part to incorporate technology into their vehicles. But, even these cars are prey to attackers. A group of Chinese security researchers held a presentation showing the pit fall of self-driving cars. Taking the new Tesla Model X, they found it possible to take full control of the car. And I do mean full control, from playing the radio all the way to driving the car or disabling everything while the car is in motion. By using the built-in Wi-Fi and the car’s cell service, they could control the car from any location. Another group even exposed similar vulnerabilities in a Jeep Liberty with a built-in Wi-Fi hotspot.
Is Your Data Safe?
Because of these findings, this information sparks interest in whether the data available to the testers violates legal concerns. Back in 2015, Senator Ed Markey established legislation to set standards for privacy and security of this data. The security regulations require:
- All wireless access points in the car are protected against hacking attacks and evaluated using penetration testing
- To prevent unwanted access, all collected information is appropriately secured and encrypted
- The manufacturer or third-party feature provider must be able to detect, report and respond to real-time hacking events
In addition, the manufacturers must guarantee these privacy standards:
- Manufacturers explicitly inform drivers of data collection, transmission, and use of driving information
- Consumers can choose not to share data without having to disable navigation
- Prohibition on the use of personal driving information for advertising or marketing purposes
However, if the consumer consents to share the data they put themselves at risk. Just because laws exist to prevent these attacks does not mean cybercriminals will abide by them. The best and maybe only way to prevent this form of attack is to not buy Wi-Fi hotspot vehicles. But, as shiny and awesome as they can be, just remember to always update the car’s system when the manufactory releases an update.