Concerns as rise of connected cars coincides with sharp increase in cyber attacks

Cyber attacks on connected cars rose by 700 per cent between 2010 and 2019, according to new analysis, prompting experts to warn that drivers should clear all personal data from their cars before selling them.

Some 67 per cent of new cars registered in the UK are ‘connected’, meaning they transmit data to their manufacturer via the internet. By 2026, it’s thought that every single new car will be connected, according to research by energy comparison site Uswitch.

The 700 per cent rise in cyber attacks on connected cars is shown by data from security firm Upstream. In its most recent report on the subject, the company analysed 367 global data-breach incidents between 2010 and 2019 involving cars, 155 of which took place in 2019 alone - a growth of 99 per cent over the previous year.

One incident in October 2019 saw a mobile phone app Mercedes drivers could use to locate and unlock their cars sometimes showed other people’s accounts and vehicle information. The previous month, thieves were caught on camera stealing a Tesla in under 30 seconds using a keyless entry hack. July 2019 saw an exposed database at Honda allowing anyone to see which of its systems had security vulnerabilities, risking 134 million rows of employee data.

Earlier in the year, Toyota suffered two separate cyber attacks in the space of five weeks, with the offenders accessing servers that held sales information related to 3.1 million customers.

Uswitch advises drivers not to trust their cars with too much personal information, and to use a physical security measure to prevent vehicle theft, such as a steering-wheel lock. Motorists are also reminded to ensure the software in their cars is up to date, keep keyless fobs in a Faraday pouch, and clear all personal data from a car before selling it.

Uswitch spoke to Jonathon O’Mara, a cybersecurity expert working for CompareMyVPN. He said: “Even if basic privacy measures were put in place, we feel anonymised data can be easily matched with other elements to break down any attempts to promote user privacy.

“In addition, the car companies themselves can now collect huge swathes of rich personal data - mainly location-based and habitual movements. However, this also covers connected device activity such as calls made, messages and phone numbers, which for privacy-concerned individuals is quite alarming.”

O’Mara called on regulators and cybersecurity firms to “ensure that connected car data is encrypted end-to-end to reduce any threat from a third party”, as well as to monitor what data is actually stored and kept.

Find out what car brands are doing to stop keyless car crime here...