Data capture: A look at the latest telematics developments
Connected services are becoming more common in the latest infotainment systems, including emails, calendars, social media and downloadable apps – potentially with accounts containing banking. Most fleet cars are at least capable of storing phone books and call lists transmitted via Bluetooth, and often previous destinations used by the satellite navigation.
It’s a considerable amount of sensitive data, which could be accessed by anyone using the vehicle (with or without the owner’s consent), creating serious data security issues for fleets. The industry has been vocal in its concern about the high frequency of end of contract vehicles being returned with personal data still accessible, and the potential risk of this being extracted by subsequent keepers;
“Initially vehicles were fitted with satellite navigation devices and returned vehicles frequently contained a stream of addresses,” explains Martin Hughes, remarketing director of contract hire and leasing specialist, Activa Contracts.
“Now drivers are plugging their smartphones into car multi‐media systems and conducting a wide range of business. The issue is that these systems are mini computers and retain a vast amount of information, and much of it is likely to be private or business confidential.
“We advise drivers returning their company cars to ensure the system is back to its factory setting, thereby deleting all information,” he adds.
Smartphone connectivity does have an advantage, though.
Apple CarPlay and Android Auto are designed to offer the same operating system in any brand of car, effectively mirroring a simplified version of the smartphone operating system on the dashboard for instant user familiarity.
The added security benefit is that these do not transfer any data to the car – once the phone is unplugged, the data goes with it. Certainly a solution for improving data security for pool and hire vehicles, but also likely to become more popular with drivers as it becomes more widespread.
What is transferred?
The Federation Internationale De L’automobile (FIA Region I) – a consumer body representing the interests of motorists across Europe, the Middle East and Africa, recently published an infographic that highlights the scale of data new vehicles are able track and transmit.
The investigation of the data transferred by two connected vehicles found that, in addition to vehicle data, information synced from the driver’s mobile phone is also tracked and transmitted back to the manufacturer – without the driver’s explicit consent.
FIA found that, when a new car is purchased, the contract often includes a clause allowing the automatic transfer of data to the manufacturer’s proprietary supplier network. The organisation is lobbying for informed consent about access to personal and vehicle data, and the transfer of data ownership back to the driver.
The key data security concern for fleets here is not so much the threat of hacking; as these networks are as secure as can be, but the issue of potentially sensitive data being transferred to a network of organisations without the driver’s explicit consent, and leveraged to solicit for unwanted services. With an estimated 60% of all new vehicles capable of connecting to the internet from 2016, manufacturers are under increasingly strong consumer pressure to be open about the way data is used and shared.
In an attempt to alleviate some of these concerns, the European Automobile Manufacturers’ Association (ACEA) unveiled its new ‘statement of intent’ regarding connected car technology at this year’s Frankfurt Motor Show.
ACEA’s members –who include the majority of manufacturers operating in Europe, pledged to adopt five key principles of data protection to which the industry will adhere; including transparency about the third parties information
may be shared with, and the identity of the company, or group of companies, that govern data processing.
ACEA asserted that its members already adhere to strict legislation regarding data protection, including the ability for customers to de‐activate the geolocation functionality unless the information is tracked by features such as eCall, and the fact that ‘personal’ data is retained for the shortest possible time before being rendered anonymous or deleted.
As well as helping to build trust with consumers, this desire to offer improved transparency is also motivated by the forthcoming tightening of EU legislation. The imminent amendments to the EU Data Protection Regulation will require manufacturers to prove that they have obtained informed consent from all relevant data subjects for the extraction of data collected by connected cars, or face fines of up to 5% of global annual turnover, or €100m (£70.4m), whichever is greater.
Exposure to data hacking
Despite the vast sums being invested to protect data being extracted by unauthorised sources, one undeniable issue remains – if a criminal is determined to gain access there is a good chance they will eventually find a way to do it.
“However, you have to pose the question, why would anyone want to do this?” asks Ashley Sowerby, managing director of fleet management company, Chevin Fleet Solutions.
“There are obvious examples, such as someone perhaps wanting to gain access to a goods vehicle carrying something valuable but, really, traditional ways of getting in are faster and easier.
“There is the possibility of malicious behaviour, but we are into an area of extreme criminality that very few fleets are likely to encounter, if any.”
Any reputable in‐car technology supplier should be able to provide details of the anti‐hacking measures and data protection safeguards already in place to help alleviate concerns about security.
Black box security
Recent high‐profile incidents in which hackers have demonstrated their ability to seize control of vehicle components (including the brakes and steering) via
devices connected to the On‐Board Diagnostics (OBDII) port have led to a degree of uncertainty about the security of telematics technology, and the confidentiality of data collected. However, the industry has been quick to point out that many of these OBDII port hacks have been undertaken as academic research, with no instances currently recorded in the UK.
“Every vehicle sold since 1996 has one OBDII port,” explains Mark Canning, director of product & integration services at telematics solutions provider, In
Car Cleverness. “It enables monitoring of emissions, mileage, speed and mechanical condition, and any activated warning lights when a problem is detected.
Workshop technicians can ‘communicate’ with a vehicle via its OBDII port in order to detect faults.
“Claims of successful vehicle hacking through the OBDII port should be treated with caution; specialist knowledge about that vehicle would be required to affect such an event, and the vehicle communications and any plugged in devices (such as black boxes) would need to be unencrypted in‐flight and at rest to gain any access,” he adds.
All modern telematics units offer varying levels of data encryption to protect against such attacks, with safe guards in place to ensure data encryption remains activate. “Our products have, by design, several features that ensure that the OBDII vehicle data port cannot be accessed directly by outside parties,” confirms Martin Bramwell, director at In Car Cleverness.
Separation of data
Because all data collected by the OBDII port relates to vehicle status, telematics units do not present a security issue for fleets – personal or potentially sensitive data is collected.
“Personal driver or business information is not stored in our black box, and it’s actually pretty difficult to access the vehicle data stored on the telematics device due to heavy encryption,” confirms Nick Walker, managing director of RAC Business. “Data is deliberately kept separate, with any personal or sensitive business information confined to the online platform and not accessible through the in‐car device.”
Issues of data security will become more complex as in‐car connectivity gains greater prominence, and criminals refine their techniques. “To help prevent unauthorised access, you need to ensure that your telematics or other systems provider puts in place some basic security methods,” concludes Ashley Sowerby. “Think of it in the same way as you might protect your home from thieves. The truth is that a determined person will always get into the house but most criminals are looking for an easy target, so if you fit an alarm and window locks, they will probably move on to the next property.”