Cars: a treasure trove of data and an ideal target for attacks

When we buy a new car we can choose between things like a sports car, a four-by-four or a family estate, running on either an electric, petrol or hybrid engine. All of the new models have one thing in common, however: they are packed with computer technology. Navigation and assisted driver systems, not to mention micro-computers for maintenance, produce gigabytes of data – hour after hour.

Invisible data flow

Cars: a treasure trove of data and an ideal target for attacks
Connected cars are increasingly susceptible to attacks by hackers.

If the car is also connected to the Internet, data may also be transmitted to third parties, repair shops, insurance companies or spare parts producers. Tests conducted by Germany's largest automobile club found that some models made by a German manufacturer send not only the vehicle's GPS position, mileage, fuel consumption and tyre pressure, but also the number of times the seatbelts are pulled tight because the vehicle has braked sharply.

The data flows invisibly in the background. When car owners connect their smartphone to the car via the multimedia system, personal data such as telephone numbers, addresses and e-mail accounts are additionally stored in the vehicle's IT system. Theoretically, this information can be downloaded in just the same way as the vehicle’s operating data. In the repair centre, the mechanic will use an on-board diagnostic (OBD) interface to access this data and obtain information about the causes of any errors.

Who is allowed to access my data?

In future, car owners are to be given a choice not only as to which car to buy, but also as to who gains access to their data. To this end, engineers, computer scientists, lawyers and psychologists have teamed up in the self-organised data protection in the connected car (SeDaFa) project (only in German) to develop a new interface specifically designed to protect personal data. Besides the Fraunhofer Institute for Secure Information Technology SIT and several universities, the project partners also include Volkswagen, Europe’s largest car manufacturer. Furthermore, data protection agencies from Germany are taking part to ensure compliance with legislative requirements such as the European General Data Protection Regulation (GDPR).

Greater transparency for car drivers

At the Institute of Ergonomics & Human Factors at Technische Universität Darmstadt, Dr Bettina Abendroth and her team designed the user interface. "We want the app to make things more transparent for users. They can see which data are stored, who they are sent to and how long they are kept", the industrial engineer explains.

Data protection versus functionality

Because not everyone wants to focus on every detail of data protection, and because users also need to be able to operate the system while driving, the data protection app offers preconfigured settings: highest, high, medium and low. The app keeps the user informed at all times about the extent to which functionality is limited by reducing the data flow. Users are not forced to choose one setting and stick to it, however – they can adjust the data protection level up or down at any time. "It is often the case that data protection measures reduce functionality", explains Abendroth. "That's why we give users the opportunity to weigh up the two against each other." The prototype developed by the SeDaFa project shows what a user-friendly solution that complies with data protection guidelines can be like. Now it is up to companies to develop a marketable product.

 

Security For Connected, Autonomous Cars (SecForCARs)

Another research consortium in the area of IT security for cars, SecForCARs will in the next three years be exploring how best to protect connected, autonomous cars. Such cars are particularly susceptible to attacks by hackers. This is because their electronics architecture has to record and reliably process far more data in a much shorter time than in conventional vehicles. So how can connected and autonomous cars be developed in such a way as to make them more secure? How are such vehicles to be tested for security gaps? How can security gaps that arise later be eliminated as quickly as possible? These are the questions being jointly addressed by the project partners – universities in Berlin, Braunschweig, Karlsruhe and Ulm, several research institutes and companies in the automotive, software development and IT security sectors.

www.uni-ulm.de > Powerful IT security for the car of the future