As Forrester has reported, IoT devices are more exposed to cyberattacks, requiring security leaders to address the security vulnerabilities in this wide array of devices deployed across their organization. One area that many security professionals continue to overlook is the simple car, which to be honest is no longer so simple. Unlike the Volkswagen Type 1, affectionately known as the Beetle, which was little more than an engine, four wheels, a body, some seats, and a steering wheel, most cars on the road today are roving networks of computer devices that may be sharing real-time information with each other, with the whole vehicle connected to the internet.

Unfortunately, like many other IoT devices, until recently, the security of connected computer devices within cars was an afterthought. Even newer vehicles are susceptible to hacking, because securing these components or the back-end systems supporting them has been not a top priority for automakers.

“OK,” you might say. “I get it: The connected vehicle can be hacked, and maybe someone could break in and steal my car. But what does this have to do with my organization’s security?”

Where do you drive your car? Not only can the vehicles themselves be hacked in to locally or remotely, but the data stored in that car or at the manufacturer could be stolen to track your movements. This could allow an attacker to develop a profile of a high-value target. Or the automaker itself could be sharing that information with third parties that, for a price, could get detailed information about where you go and what you do: what time you leave your house, when you usually stop at the gym, where you usually park at the office, how often you leave the office for lunch, whether you usually stop at the grocery store on Wednesday or Thursday, and so forth.

Do you conduct business while in your car? Phone-call logs and hands-free messages that are sent through your car are recorded by the vehicle and sent to the manufacturer that, at least in the US, can do what they wish with that data. Some automakers that make vehicles that can record information about drivers in and around the car have even had employees accessing these recordings without any level of control. And what about when traveling? Do you use your work phone in the rental car? The same issue with your messages and call logs being collected applies to rental cars, and if you don’t clear your phone information before returning the rental car, that info is left on the infotainment system and could allow the next person to rent the car or a malicious actor to collect this information.

As organizations implement more security controls on existing applications, data resources, and devices, attackers are looking for the next target of opportunity, and the incredible lax security that is found in most cars means that this is a new vector of potential compromise. Forrester’s recent report in the connected vehicle space, Digital Smash And Grabs: The Challenges With Securing Connected Vehicles, discusses this more in depth and provides some guidance on how you can start addressing these vulnerabilities. At a higher level, we need to demand more security and accountability from the automakers themselves to respect our privacy and protect these rolling computer networks.

Forrester clients, please reach out to schedule an inquiry or guidance session with me to understand and address any concerns you have about connected vehicles and their impact on your organization.