The age-old discussion on data privacy continues. Now, it has to do with smart cars. There is no doubt that new and modern cars will have more IoT devices. And with all these technologies on board, it is most likely car manufacturers will want to make the most out of the data they collect. But now there is a concern on privacy.
It was recently revealed that Mercedes Benz models have trackers in them that can pinpoint the location of their sold vehicles. The secret sensors are fitted in all new and used cars sold by dealers. Unlike mobile devices whereby users can turn off their location, it is not the same when it comes to these cars.
According to a report by The Sun, Mercedes will not say how long they have used the sensors and insist that it is only activated in extreme circumstances, which in this case is when finance customers default on their payments. However, Mercedes admits sharing car owner information and vehicle location details with third-party bailiffs and recovery films for repossession purposes.
Under European Union data protection laws, tracking a vehicle without its driver’s knowledge is illegal. But now, the EU Council wants all cars made inside the Union to feature location-tracking devices so they can monitor speed, driving behaviour and whether motorists are using safety features properly from 2022.
Cybersecurity Asean reached out to Art Dahnert, Managing Consultant at Synopsys Software Integrity Group to get his views on this issue. According to Art, today’s modern vehicle has many sensors that can be used for location identification. All of these technologies are available to an OEM and offered to their customers in today’s vehicles and by themselves are generally not used to spy on the driver or the passenger compartment.
However, he said if a manufacturer were to tie these technologies together in order to provide a more compelling product, then there is a strong likelihood for determining exact vehicle location. And as with all technology, it has the potential to be misused or abused.
“The missing ingredient is the software to tie all of the individual components together to offer a complete, real-time picture of the vehicle, including spying on the driver or passengers.”
He explained that future technology would make this capability standard across all manufacturers. The addition of a cellular modem allows for the communication of that data to anywhere around the world, including to the cloud servers of each OEM.
“Because the vehicles contain other technology, such as an internal microphone for “hands free” phone calls and internal cameras to determine if the driver is awake or distracted, it is possible to visually identify if a specific person is in fact driving a vehicle as well.”
Interestingly, Art pointed out that vehicle manufacturers have had personally identifying information about their customers since the very beginning. They know our address as well as other demographic information, such as family size and economic details. This information is often correlated in a database controlled by the automotive corporation.
“This is a real problem if you are concerned about privacy since it is possible for a corporation to know where you are at any point in time. Currently, there are no controls in place from a regulatory or legislative view for this type of location resolution and tracking. It is easy to imagine the damage to individuals or groups of individuals if this system was abused, either by a malicious employee or through some type of remote attack.”
Art believes the argument that it is only used for tracking down scofflaws who don’t make their car payments is a specious one at best.
“Unfortunately, this is the scary side of the upcoming generation of vehicle technology as all manufacturers will require real time access to a vehicle’s location as we move to a future of self-driving or “near self-driving” cars.”
Cybersecurity Asean also spoke to Cody Brocious, a researcher at Hacker One. Interestingly his view is that whether it's possible or not for hackers to take over the cars or compromise them in any way via the device is unknown; it's possible that these are broadcast-only devices, which would make that impossible.
His concern is, if Mercedes is able to track these vehicles, it's entirely possible that others are (or could be) able to do so as well.