Shopping, Banking from Car Dashboards Opens Door to Identity Theft
Hackers can already take control of a car. And as vehicles become rolling shopping malls, cybercriminals will have an opportunity to snatch your identity, too.
Eager for a cut of drivers’ purchases of fast food, gas and more, automakers have big plans to bring e-commerce to the dashboard. Ford Motor Co. already has an app that lets drivers dictate an order to Domino’s Pizza using voice controls and a smartphone. General Motors Co. this year began offering AtYourService, which alerts drivers to deals at Dunkin’ Donuts or lets them book a hotel room on Priceline.com using voice commands. By 2020, as many as 40 percent of new vehicles sold worldwide will let drivers shop from behind the wheel, predicts Thilo Koslowski, vice president of the auto practice at Gartner.
Connected cars present a rich target, akin to retailers or banks, where hackers can troll for credit card numbers, home addresses, e-mail information and all the other personal details required for identity theft.
“Today the motivation for hacking a car is mischief, with an objective of hurting people or car companies,” Koslowski said. Once drivers can shop with impunity as they roll down the highway, “the car will definitely be viewed as a vulnerable device.”
Most cars sold today lack the technology for drivers to pay for items they purchase (unless they use a smartphone). But by 2022, 82.5 million autos worldwide will be connected to the Internet, more than triple the number now, according to researcher IHS Automotive. In the next two to five years, “buy buttons” connected to smartphone mobile wallets will start appearing on dashboards, according to Richard Crone, who runs payment adviser Crone Consulting LLC. That means motorists will soon be able to buy a pizza, fill up the tank or preorder a half caf skinny macchiato from Starbucks without pulling out their phone.
Banks and credit card companies are looking to pile in. Visa has developed an app for the dashboard or smartphone that enables the car to automatically purchase gasoline, parking and fast food. Commercial deployments will be announced in the next three to six months. FIS, a payment technology company, is developing a banking app for cars that will let drivers pay bills or check balances.
Commuters want to be constantly connected, and shopping from the steering wheel is the next logical step, said Phil Abram, chief infotainment officer of GM’s OnStar system, a blue button on the rearview mirror that links drivers to a live attendant.
“Over 3 million times a year, somebody pushes the blue button in a car and asks for directions to a hotel or to ask ‘Where is a coffee shop or gas station?”‘ Abram said in an interview. “The roots of this are in what customers want.”
But automakers this summer have proven easy targets for hackers. Two security experts hacked into a Jeep Cherokee’s infotainment system in July to take control of the engine and transmission as an 18-wheeler was bearing down on it. OnStar also was hacked when a security researcher used a small device hidden on a 2013 Chevrolet Volt to take control of GM’s RemoteLink app, which allowed him to unlock the car and start its engine.
“This has been a bit of a blind spot for automakers,” Mark Boyadjis, a technology analyst for IHS, said of cars’ vulnerability to hacking.
The Jeep hack forced parent company Fiat Chrysler Automobiles NV to recall 1.4 million vehicles and ask wireless partner Sprint Corp. to issue a temporary fix over its network. GM worked with the “white hat” hacker to come up with a software patch for RemoteLink within 24 hours, Abram said. Early services like Ford’s Domino’s app don’t put a driver’s credit card information at risk because that data is stored in the smartphone, the automaker said. Visa’s in-car payments will use a randomly generated digital “token” rather than the credit card number.
Hackers bent on identity theft are expected to infiltrate cars through the entertainment portal, as the Jeep hackers did, or market malicious apps that appear harmless or even helpful, but actually steal personal information. Opening the dashboard to apps from third parties will invite thieves along for the ride, said Ryan Smith, chief scientist for Optiv, a cybersecurity company that consults with automakers.
“When payment systems come online inside of cars, it will be an attack surface that attackers will start looking at and poking at,” said Smith, who has worked with Charlie Miller and Chris Valasek, the men behind the Jeep hack. “You’re going to see the entire spectrum of fraud inside these vehicles.”