The car industry has taken its eye off the road when it comes to connected car features. There’s a general assumption that functions that don’t directly affect how the car performs in motion are less critical and this has lead to security being given a back seat.

But connected car operating systems are undoubtedly a viable target for attackers, as shown by the interest the CIA had in “vehicle systems” and “potential mission areas” in the Vault 7 documents leaked by Wikileaks earlier this month.

The CIA reportedly looked at the QNX operating system, owned by Blackberry, prompting the company to issue a statement saying that “security is only as strong as the weakest link”.

So how are connected cars exposing the driver? There are five key ways cars are being compromised.

1.        A wider attack surface

These cars are just one component in an array of connected devices known as the Internet of Things (IoT) a collective ecosystem of devices which is beginning to share data over numerous channels. Internet, mobile, Bluetooth, custom radio frequency protocols, DAB, media files imported over USB, remote diagnostics, telematics, mobile apps… the list goes on.

With the connected car sharing data with other IoT devices, so the potential for an attack grows. BMW recently integrated Amazon’s Echo Dot which uses the Alexa voice system, for instance. According to the manufacturer, this includes the ability to voice instruct the vehicle to “unlock your BMW... from anywhere”, although upon testing it only seems to lock at present.

You can unlock the car using the app, however. Apple carplay, Android auto and mirrorlink all  now open more avenues for interaction with the car. These effectively make the car’s security now totally dependent on the robustness of the security of a third party device.

Tesla Model X: A good example of a technology-laden vehicle we all could be driving in future

2.        Amassing user data

Connected cars are seeking to pool data from multiple touchpoints to create a better user experience and to monetise that data. There are already examples of manufacturers combining user data from sources such as social media and pushing this data up to the cloud.

Going forward, everything from how and where you drive to your shopping habits to when you fill up at the petrol station or service your car will be amassed and exploited commercially. It’s valuable data that various suppliers – and hackers – will want access to.

This is already causing controversy within the industry because as car servicing moves from onboard diagnostics ports to data held in the cloud, it places the manufacturer in complete control of all of this information, effectively depriving independent garages of vital data.

The European Automobile Manufacturers Association protests that open access to this data could “jeopardise safety (cyber) security and vehicle integrity” if it were made available widely so it’s clear manufacturers recognise the sensitive nature of this data; what’s less clear is how it will be secured when it inevitably is shared.

3.        In-car WiFi

More manufacturers are now going down this path with in-car WiFi access points, partly due to the fact that uploading and retrieving data from the cloud does cause lag, preventing realtime services. In-car connectivity also reduces the cost and dependency on third parties.

Take the case of the Mitsubishi PHEV SUV. The manufacturer had installed a WiFi access point, however, because the pre-shared key password was relatively short it was easy to crack. We were also able to perform a Man-in-the-Middle attack and take over core functions such as the lights, heating, windows and the alarm system. In contrast, a cellular network is far more secure.

4.        Poor mobile app security

Today, the most common source of vulnerability which makes a natural starting point for the attacker is the connection between the mobile application and the access point. By sniffing the connection it’s possible to capture and reverse engineer this data to pinpoint and take over in-car functions.

Armed with this information, the attacker can then remotely cause mischief, preheating/cooling the car or deactivating the alarm and opening the windows to gain access. It’s also relatively easy to locate specific vehicles using geolocation sites such as Wigle.net and this could theoretically allow cars to be stolen to order.

The use of apps complicates the security picture

5.        Updates that are up to you

The likes of Fiat Chrysler, General Motors and Tesla now all have bug bounty programs which encourage white hat hackers to report or disclose vulnerabilities direct to the manufacturer for a reward. But updating the software on connected cars isn’t always straight forward.

Last year Toyota crashed the onboard systems on its Lexus range resulting in a blue screen of death. To make matters worse, the update mechanism itself needs to be secure to prevent it becoming hijacked.

Where updates will really prove critical is in the move from the connected to the autonomous car.  The recent Vehicle Technology and Aviation Bill will see drivers, not manufacturers, held accountable for updates.

Section 3.13 states that if an Autonomous Vehicle (AV) crashes and any human occupant didn’t update the cars software to the latest version, the insurance company could exclude liability to the injured motorist (although an injured third-party would be compensated).

Consequently, the onus will be on the driver to ensure security patches are applied giving manufacturers carte blanche to issue updates without the need to ensure installation.

Unless automotive manufacturers begin examining how they can secure communications, mobile apps, and the data entrusted to them, there will be in-car cyber attacks. These could involve hijacking system controls, locating and physically stealing cars, or personal data breaches as the car begins to tap into other sources of data.

We may even see personal car jackings, whereby wealthy individuals are targeted. And there will inevitably be investment in malware and perhaps ransomware, whereby payment is demanded to get back control of the vehicle.

But perhaps that’s what it will take. Maybe a cyber assault is needed for manufacturers to begin taking connected car security seriously. Let’s hope the car industry steps up before we as drivers hand over control completely to autonomous cars.

Ken Munro is a partner at Pen Test Partners.