Researcher Highlights Potential Security Vulnerabilities of Connected Cars

Imagine getting an email telling you that someone had hacked into your connected car and not only found your email address, but also gained control of the car’s door locks and horn.

That happened to two dozen owners of Tesla vehicles after a hacker first got control of those vehicle functions through a piece of third-party software they were using and then found their email addresses through the software for Tesla’s digital key, Bloomberg reported.

Fortunately, the hacker, a security researcher in Germany named David Colombo, reported the vulnerability to the third-party software provider and did not go public until they had fixed it, TechCrunch reported.

Colombo also reported his ability to access the owners’ email addresses to Tesla, saying he’d done so through a Tesla application programming interface (API), and did not make it public until the company had taken steps to prevent that from happening again, according to the Bloomberg report.

“This is all part of Security Research, and I purely have good intent,” Colombo wrote in a blog post. “As soon as I can confirm a vulnerability exists, I immediately report it to the affected and involved parties.”

Spotlighting the Importance of Security for Digitized Fleets

In the post, Colombo also shared tips to prevent this from happening again, directed to Tesla owners, third-party maintainers and Tesla, saying that each could have taken steps to prevent him from doing what he had done.

“Automotive security is a very important topic, especially as other automakers, such as VW, join in digitizing their fleets,” Colombo wrote in the post.

Today’s new cars contain up to 100 electronic control units (ECUs) and 100 million to 150 million lines of code, according to Dellfer, an automotive and Internet of Things (IoT) cybersecurity software company that announced an $8 million Series A investment in October.

Read more: Automotive and IoT Cybersecurity Software Firm Dellfer Nets $8M in Series A

“Tech is a major reason why the average cost of a new vehicle in the U.S. in late 2020 exceeded $40,000,” Dellfer said. “That’s just the average. Because cars are now rolling computers, 40% of the cost is in electronic systems.”

At the same time, Dellfer added, global cybercrimes are estimated to continue to grow 15% annually, reaching $10 trillion by 2025.

Storing Data in Cars’ Electronic Systems

The kind of data that is stored in cars’ electronic systems will vary by the manufacturer, the system and the third-party vendors, but it commonly includes phone logs, contact lists, text messages, identifiers of the phone, garage door codes and, in navigation systems, destinations, Andrea Amico, founder and CEO of Privacy4Cars, told PYMNTS.

Read more: What Happens to the Personal Data in a Connected Car When the Car is Sold?

At the time he spoke with PYMNTS, Amico had been interviewed on a TV news broadcast covering the story of someone who had sold his car but found that the app still allowed him to see its location, lock and unlock it, and start and stop it using his phone — even though the car was in another state and in the possession of a new owner.

“I hope that people will see that there’s a need of doing something about it before something bad happens,” Amico told PYMNTS.