Posted by Jim Ivers on July 22, 2016
Originally posted on SecurityWeek
Early in 2001, before I was even in the IT Security business, I saw a glimpse of the future. While at a CIO conference dinner, I started talking to a gentleman who was responsible for the IT infrastructure behind an emerging new service called OnStar. The conversation soon turned to the many challenges he faced—problems that were not readily apparent to the automobile industry, much less the general population.
He told me he was preparing for the first time OnStar would be subpoenaed to refute or corroborate a claim in court of someone being at a specific place at a specific time. This could easily happen in a “he said/she said” divorce case where one spouse said they were somewhere and the other said they were somewhere very different. He contemplated if OnStar would be able to provide geolocation data to pinpoint the person-in-question’s car at a specific time.
He fretted over the commercialization of the OnStar data, knowing that the phone companies had parlayed free or discounted phones into huge revenue streams because customers gladly sold their phone privacy souls to get the latest, shiniest technology. He noted there may come a day when an OnStar subscriber would climb into their car and start a well-traveled route to their neighborhood grocer. When the data indicated their probable destination, could OnStar alert the driver to specials at the store? If so, what would be the level of tolerance for this intrusion? Would the revenue realized offset losses from customers cancelling their service?
Fast forward to today. While walking to my car to get to my weekly Monday night gathering, my phone buzzed. It was an alert informing me of my current travel status and estimated driving time to the very spot I was now heading. I hadn’t requested that alert. Data based on my typical Monday night routine had been captured, stored, collated, and then used to extrapolate my destination.
As I stood in my driveway, my conversations with the gentleman from OnStar flashed into my mind. While it was not my car that had collected the data to communicate back to me, it very well could have been.
Of course, as I am completing the process of putting two children through college, my car is nearing vintage status and doesn’t have the connectivity increasingly standard in today’s vehicles. A recent study by the GSMA, “Connected Car Forecast: Global Connected Car Market to Grow Threefold Within Five Years,” says that 50% of vehicles sold worldwide in 2015 were connected (either by embedded, tethered, or smartphone integration) and every new car will be connected in multiple ways by 2025.
What fascinates me the most is the attitude of consumers. 62% of consumers are worried that cars will be easily hacked in the future, according to an RSA presentation from Kelly Blue Book. In their corresponding report “Braking the Connected Car: The Future of Vehicle Vulnerabilities,” one in three prospective car buyers say connectivity is a big factor in their decision. Furthermore, they claim that 62% of consumers are worried that cars will be easily hacked in the future. And yet, 44% of consumers feel that the vehicle manufacturer is responsible for securing a vehicle from hacking. So much for being personally accountable for our own security.