Global cyber-attack raises questions about connected car security

15 May 2017

The global cyber-attack that hit many computer systems around the world on 12 May will increase calls for secure servers when connected cars start transmitting data back to vehicle manufacturers. 

As vehicles become more connected, and autonomous vehicles start to build towards their inevitable release on European roads with trials taking place across the continent, there is a constant worry about cyber security and how the industry will keep data mined from vehicles, including personal data, secure.  

The automotive industry was hit by the attack, which saw hackers trick companies into opening emails with malicious software embedded in. This encrypted key files on computers with a demand for payment in internet currency Bitcoin demanded to release the encryption. French manufacturer Renault halted production at a number of its sites in the country due to the attack, while Nissan’s plant in Sunderland was also affected. 

Representatives at Renault’s Sandouville plant, in northern France, told French media on Saturday that production had been halted there. The Renault Trafic van and variants for other automakers are produced at the factory. The Sandouville representatives said that disruption would be minimal, as no full production was planned for the weekend. 

A work stoppage was also reported at Renault’s facility in Novo Mesto, Slovenia, which produces the Renault Twingo and Clio small cars, while Renault-owned Dacia said on Saturday some of its production in Romania had been hit. 

Renault has now resumed production, the company announcing on 15 May that it had begun work again at 90% of its factories in France and Romania.  

Meanwhile a spokesperson for Nissan commented: ′Like many organisations around the world, some Nissan entities were recently targeted by a ransomware attack. Our teams are responding accordingly and there has been no major impact on our business.’ 

While a secondary attack has so far failed to materialise despite warnings, the apparent ease of hackers to get malware installed on systems is sure to raise fears that more security is required when it comes to manufacturer servers that store and control data from connected cars. There is also the question of how secure security systems that control autonomous vehicles in the future could be. 

Maik Boeres, head of future mobility at BMW AG, recently spoke about security surrounding vehicle data at the SMMT Connected conference in London. He said: ′There is a lot of data that will be generated with automated vehicles. Manufacturers in both the German and European associations have created what we call the ′OEM extended vehicle back-end’, which we are all implementing, and this means we take the data from the vehicle, store it on a secure web-based server and give it to selected parties. It is up to us to look after that cloud of data, so we need to install and maintain secure systems on the transfer line. It is then up to the manufacturer to keep that security updated and therefore liability falls to us too.’ 

Discussing the potential for private data being stolen under the hack, Ravi Pather, senior vice president of eperi, a cloud-data protection service, comments: ′Global enterprises are deploying cloud-based architectures. This presents significant challenges to protect Personal identifiable information (PII). The UK and Europe going through a much needed new focus on the protection of PII and sensitive data being driven by a pre-Brexit European Regulation (not a directive) known as GDPR (General Data Protection Regulation) which will become law by May 25, 2018. ″¯Even post- Brexit, the raised standards of GDPR will mean it will be fully implemented in the UK in order to do business in Europe. 

′Instructions for GDPR were issued over a year ago and organisations were given two years to implement it by 25 May, 2018. ″¯This means that organisations – also known as data Controllers under GDPR – have to be in full flight now to be live by the deadline date.’ 

The ability to access such data and encrypt it to hold companies to ransom may have resulted in the delay of some vehicles being built, but with millions of cars due to transmit data over the next few decades, a larger amount of private information could give hackers the opportunity to hold more people to ransom. Manufacturers need to ensure that they learn from the attacks across Europe in May, and make sure their systems will prevent such exploitation in the future.