Advancements in connected cars are surging, yet car security lags behind

Connected cars, with their advanced sensors and digital capabilities, have revolutionised modern transport. However, they also present a new set of security concerns, as revealed in a recent study.

The study, which surveyed approximately 300 people, primarily in Europe, highlights the importance of data privacy in this digital age. Connected cars collect sensitive information, such as location history and driving behaviour, making data leaks a major issue. Yet, most drivers are in the dark about what data is being collected and where it goes, according to the survey.

One of the key findings of the study is the complexity added to vehicle cybersecurity by the supply chain. A vulnerability in a single third-party component or API can impact multiple manufacturers and models, increasing the attack surface.

Attackers can move deeper into a vehicle by exploiting the Controller Area Network (CAN) bus, which connects key systems such as brakes, steering, and acceleration. Sensors in connected cars, such as cameras, radar, lidar, and GPS, can also be manipulated, creating confusion for driver assistance systems.

The study shows that while Europe has strong building blocks in place, there are still mismatches between technical standards, legal requirements, and consumer expectations. For instance, ISO 21434 focuses on software development, while R155 focuses on deployed software in the wild.

Europe has regulations like UNECE R155, UR R156, GDPR, and the upcoming Cyber Resilience Act to address these risks. However, they lack consistency and enforcement power. No single framework addresses all threat areas in connected car cybersecurity, and supply chain security remains a weak spot due to a lack of third-party accountability.

Brand perception plays a role in consumer preferences, with many participants preferring European or Japanese brands. However, the term "smart car" is still vague in the minds of many consumers, with a focus on features like autonomous driving or entertainment systems and less attention to data security and privacy.

Some expressed distrust toward vehicles from certain countries, citing political concerns, safety issues, or perceived quality gaps. Yet, the study found that a majority of respondents believe their vehicles send data to both manufacturers and outside companies, with awareness highest among owners of newer cars.

Industry standards like ISO SAE 21434, ISO 24089, TISAX, and AUTOSAR Adaptive provide guidance on vehicle cybersecurity and software updates, but they are often voluntary and lack enforcement power. David Brumley, a professor of offensive cybersecurity at Carnegie Mellon University, notes that the study could have explained why different standards exist.

Brumley warns that the pace of innovation has outstripped the willingness of some automakers to embrace the spirit of regulations, resulting in cars on the road today with known vulnerabilities. Compromised firmware can spread through over-the-air updates, affecting large numbers of vehicles at once. Remote access attacks can target telematics systems, wireless interfaces, or mobile apps linked to the car.

As connected cars continue to evolve, it is crucial that manufacturers prioritise cybersecurity to protect both the vehicles and the personal data they collect. The study serves as a reminder that while connected cars offer numerous benefits, they also present significant risks that need to be addressed.