Ovum has identified three types of attack to be considered in the context of connected car: attacks that impair car or road safety, attacks that harvest sensitive data, and attacks on commercial fleets to damage reputations.

1. Attacks that impair car or road safety

These are cyberattacks that could interfere with brakes, accelerators, ABS, and so on to endanger the physical safety of a car’s passengers and other people in the immediate vicinity, such as pedestrians or the occupants of other cars.

This is the stuff of Hollywood movies, of course, but also of some of the high-profile attacks of recent years, such as the infamous Jeep hacks of 2015/16, when among other things, a pair of hackers demonstrated to Wired magazine that they could take charge of elements of the vehicle’s control units in a Jeep Cherokee through the entertainment system, provoking a recall of 1.4 million vehicles by Chrysler, the owner of the Jeep brand.

2. Attacks that harvest sensitive data

A lot of sensitive personal data is at risk if a car’s internet-enabled systems are hacked. If commercial transactions are carried out by passengers, payment card data (PCI) could be misappropriated. If there are interactions with a healthcare provider while driving, say booking or confirming a doctor’s appointment, then PHI data might also be exposed. In addition, anything involving basic information such as name and address would mean PII data could be targeted.

Data collected and transmitted by in-car entertainment systems, such as a user’s mobile phone being connected to the entertainment system to play songs from Spotify, could be of great value to a threat actor. There is also the potential for snooping on conversations between people in a vehicle if microphones used for voice-driven functionality are compromised.

3. Attacks on commercial fleets to damage reputations

Apart from private cars, another potential target for attacks is commercial vehicles, where unscrupulous rival operators might see opportunities to disrupt operations and even besmirch a company’s reputation by delaying a goods delivery or causing problems with a booked taxi pickup, for instance.

Autonomous vehicles (AVs) are clearly some way off as a mass-market alternative to today’s driver-controlled private cars, not least because technologies such as light detection and ranging (LIDAR) are currently too expensive for inclusion into anything the average car buyer could afford. However, trends such as app-based ride hailing, such as Uber and Lyft, and vehicle sharing are driving the development of robotaxi services that are already at the pilot stage in cities such as Phoenix and Pittsburgh. Robotaxis should be in use pretty much all the time, justifying the investment in LIDAR and other expensive systems. Indeed, some industry observers predict that AVs will usher in an era of more vehicle sharing generally, with less private car ownership.

AVs require connectivity even more than their driver-controlled counterparts. Self-driving cars are taught to deal with standard road conditions and situations, but need to connect to a remote back end to benefit from so-called “fleet learning” about how best to react to unexpected events, as well as feeding data back to the artificial intelligence (AI) to feed the fleet learning process in an ongoing process.

While driver-controlled cars typically spend long periods not in operation, and therefore disconnected from the internet, AVs such as robotaxis and other ride-sharing vehicles will be “always on”, making them even more attractive targets for cyber exploits.

Hacking into a robotaxi or some other form of autonomous vehicle designed for sharing would obviate the need to work out how to power it up, because it would always be on. Therefore, if as predicted, AVs gradually become more common on our streets, the ability to hack into them, and particularly the ones that are continual use, will be attractive to threat actors.

The automotive industry needs to build cybersecurity into connected cars in a “secure by design” approach rather than retrofitting. This is essential now, while we are in the driver-controlled phase of vehicle digitalization, so that by the time AVs go mainstream, the potential for threat actors to wreak any of several types of havoc can be mitigated as far as possible.