Skip navigation
Connected Car stock image

Access to Connected Car User Data a Future Risk to Automotive Security

VicOne researchers explore current cyberattacks on connected cars in the underground and potential future attacks, and recommend how risks can be mitigated.

Researchers at VicOne probed underground forums to find out what notable cyberattacks against connected cars were being discussed. The only “cyberattacks” related to connected cars that they found being widely talked about involved car modification aka car modding. Enthusiasts carry out car modding to manipulate car mileage, hide records of triggered incidents like airbag deployment, or unlock car features like car seat heating, which OEMs offer as a paid upgrade. While car modding chips away at OEMs’ profits, it doesn’t really target connected car users, which casts some doubt on whether car modding activities can actually be considered cyberattacks.

Nevertheless, the VicOne researchers believe that it’s only a matter of time before malicious actors begin to widely discuss cyberattacks against connected cars on underground forums and attempt to carry them out in the wild. And this hinges on when they’ll realize and start acting on the emerging value of connected car data, specifically access to connected car user accounts, which are required to manage connected cars’ online features. According to the VicOne researchers, takeover of car user accounts by cybercriminals is a possible cyberattack that might gain traction on underground forums in the future.

Gaining unauthorized access to a car user account can enable cybercriminals to locate the corresponding car and can grant them some degree of control over the car, such as the ability to unlock its doors or start its engine or motor remotely. This means that they can break into it and loot it for valuables, sell it for parts, or sell it to other miscreants for use in one-off crimes. They can also use the data associated with the car user account to pinpoint the car owner’s address and know when the owner is not home, or to determine places where the owner drives regularly and use this possibly incriminating information for extortion. Alternatively, they can grow their business by selling access to the car user account to other malicious actors, who can then abuse it for their own nefarious purposes.

The opportunities to take advantage of connected cars and ways to make money from gaining access to connected car users’ data already exist, even if cybercriminals have yet to realize them. Currently, the most salient attack vector that cybercriminals can explore to target connected car users is access to OEM websites used by car users to manage their accounts and their vehicles’ functionalities. Stealing of website credentials and exploitation of unsecure browsers are well within the expertise of cybercriminals.

OEMs therefore need to address the lack of security measures that puts connected car user accounts at risk. Aside from using multifactor authentication with OEMs’ websites for car user account management to address current and future threats, OEMs can consider adopting smart cockpit protection solutions to detect and block malicious apps that enable malicious actors to access private data stored in vehicles’ IVI systems and the OEMs’ cloud back end.

The cybercriminal underground market for connected car data is still in its nascent phase, but the VicOne researchers believe that this period won’t last long. Once third-party entities, such as banks and insurance companies, start using connected car data extensively and the connected car data ecosystem begins expanding greatly, cybercriminals will grasp the value of connected car data and make their first attempts at exploiting it.

The risks discussed here proceed from logical ways in which cybercriminals might expand their business. To mitigate these risks and ensure the safety of users, their data, and their vehicles, it’s imperative that connected car stakeholders adopt a proactive security approach.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.