The continuing integration of mobile technology linked into vehicles is creating huge data security issues. Julian Kirk discovers how to keep your information secure.

BMW connected remote

Smartphone apps continue to promise an easier life, offering everything from expenses calculators to calorie checkers to golf course maps. Seemingly there is an app for any hobby, interest or business use.

But the ubiquity of these apps means that virtually every employee who syncs their mobile into their vehicle is now a mobile liability zone for businesses under the new EU General Data Protection Regulation (GDPR). Due to come into force on 25 May 2018, this new Europe-wide regulation increases the emphasis on businesses to ensure the data they hold on employees and customers is secure. Failure to do so could result in a fine of up to €20 million (or 2% of annual turnover).

Any breach of data, either through an operator mistake or through cyber-hacking, could be extremely expensive as well as inconvenient – employees with company credit cards linked into their phone could be a gateway for criminals to siphon money out of the business bank account, sensitive data contained in emails could make its way into the public domain… the potential is huge (as credit monitoring firm Equifax discovered to its cost back in May when the personal data of 143 million customers in the US – and 400,000 in the UK – was hacked).

As a result, businesses must be ‘cyber secure’ – although being 100% safe is not an option thanks to the expertise of professional hackers (to highlight the sheer scale of the problem, a simple ‘mobile hacking’ search on Google delivered millions of ‘tips’ on how to hack mobile phones).

With the proliferation of public Wi-Fi networks, that’s only going to get harder. In its 2017 Communications Market Report, Ofcom pointed out that 69% of smartphone data is downloaded via a wireless connection rather than the cellular network. Panellists averaged 1.9 unique hotspots per day, and some used up to 30, and estimates suggest there are over 250,000 hotspots across the UK. In many cases, users’ devices may be logging on automatically if they’ve used the network before.

While they’re useful for staying in touch, these can also give a back door for hackers to access sensitive information. Russian cybersecurity research agency, Kaspersky Labs, published a report warning that hotspots are ‘inherently insecure’, prone to hackers being able to either monitor data being exchanged over the connection, or setting up their own fake networks to do so. Its advice is simple; use a mobile data signal for apps which exchange sensitive information, or as a tether for larger devices such as laptops. Particularly now that apps can be used to unlock vehicles without needing the key.

But the vehicles themselves are equally data-rich, and perhaps less commonly considered as a target for hacking than laptops, tablets or smartphones. Kit Wisdom, head of technical services at Alphabet, says the most important thing any employee and business can do is to ensure that personal data is cleared from vehicles as often as possible.

“The face of car crime has changed dramatically over recent years,” he explains. “Vehicle manufacturers have made their cars and vans harder to steal, forcing criminals to change their tactics. Today, one of the fastest-growing risks to drivers is cyber-crime of one kind or another.

“Today’s cars allow you to connect phones and more to music, social media, location services and other cloud applications. While this technology has led to high-profile speculation about hackers potentially gaining control over connected and autonomous cars in future, it is more likely that someone might try to access your car’s systems to obtain personal data about you.

“For example, when you pair a phone with your car via Bluetooth, the default setting is usually to import all call logs and contacts. That’s convenient for staying connected on the move but it adds a risk that someone could get their hands on information they could use to steal your identity or scam people you know.”

Wisdom adds that protecting your in-car data privacy is chiefly about knowing how to clear personal data when the time comes to change your car – or if you are very privacy-minded – whenever you hand it over to someone else. This includes deleting addresses, call logs and messages held in the infotainment, clearing previous destinations from the navigation and disconnecting it from any social media apps.

Legal firm Geldards’ senior associate Julian Turner advocates businesses ensuring managers throughout the company are focused on cyber security. He says: “The biggest threat is failure to take action. Every business should carry out a ‘pre-mortem’ to focus the minds of owners and managers.”

Geldards also suggests having a data breach reporting team in place – most likely to include representatives from key sectors of the business such as IT, legal services, operations and the data protection officer (in certain business cases – see www.ico.org.uk for details). This team should then implement a data breach reporting policy to ensure the business can respond effectively to any personal data breach. Timing is key on this issue as under the GDPR rules, businesses have just 72 hours to inform the Information Commissioner’s Office of a breach.

Government Guidance

The Department for Transport, alongside the Centre for the Protection of National Infrastructure and the Centre for Connected and Autonomous Vehicles, has issued eight guiding principles which set out how the automotive sector can make sure cyber security is properly considered at every level, from the initial design of the vehicle right through the supply chain…

1. Organisational security is owned, governed and promoted at board level.
2. Security risks are assessed and managed appropriately and proportionately, including those specific to the supply chain.
3. Organisations need product aftercare and incident response to ensure systems are secure over their lifetime.
4. All organisations, including sub-contractors, suppliers and potential third parties, work together to enhance the security of the system.
5. Systems are designed using a defence-in-depth approach.
6. The security of all software is managed throughout its lifetime.
7. The storage and transmission of data is secure and can be controlled.
8. The system is designed to be resilient to attacks and respond appropriately when its defences or sensors fail.

Gerry Keaney, chief executive of the BVRLA, welcomes the initiative: “Cyber security is potentially an area of huge vulnerability for the automotive industry if we do not take steps to be properly protected so we expect to see an increase in the employment of tech-savvy cyber security professionals throughout the supply chain right across the automotive industry.”

Jailbreaking & Rooting

Jailbreaking (Apple phones) and rooting (Android phones) can create extra problems, particularly when personal devices are used for work.

The processes involve removing restrictions on software within the phones put there by the manufacturers. It makes users effectively the phone’s administrator, giving more control over the device and what can be installed on it. However, because these phones are able to install apps from outside of the App store, they are more open to being hacked as they do not come with the same levels of security built-in.

Kaspersky Labs discovered last year that this could be used as a back door to hack into the phone, or even control a user’s vehicle. While the company said many banking apps have detection for rooting or jailbreaking, its own testing showed this was not the case for vehicle-related apps.