BMW and Samsung Galaxy Gear
The BMW i3's air conditioning and heater can be pre-set remotely using the Samsung Galaxy Gear smartwatch.BMW

The threat to internet-connected cars is no different to that of web browsers - only with much more serious consequences, warns API and data security expert.

Never had the worlds of motoring and technology been closer than when car manufacturers used the Consumer Electronics Show to announce a whole range of smart car features tapping into the Internet of Things, but rampant development could see major security concerns overlooked.

Speaking to IBTimes UK, Mark O'Neill, vice president of innovation at software company Axway, said: "I think we are going to see more malicious attacks [on connected vehicles]. If someone finds a vulnerability in an internet-enabled car you could have the same situation that you have now for browsers."

As BMW, Mercedes, Ford and others start to pack up their stands at the CES technology trade show in Las Vegas, they must start to tackle problems of legislation, privacy, data theft and Zero-Day software exploitations.

O'Neill added: "I think the privacy legislation will have to be updated to deal with scenarios - by its very nature a car can travel between jurisdictions - to at least aline that with law across jurisdictions will be important."

With a background in API (application programming interface) management - essentially how devices like smartphones communicate and share information with services like apps and social networks - O'Neill likened a potential hack of connected car software to a recent flaw discovered in the Snapchat photo-sharing app.

Due to an API which could be used to search Snapchat's database of usernames and phone numbers, the names and numbers of 4.6 million users were 'scalped' from its servers and published online. The company eventually apologised, but no doubt after consumer confidence had taken a hit.

Zero day exploits

"If someone finds a zero day [previously unknown] attack that can remotely unlock a car, you could see people paying a lot of money for that - there could become a market for zero day attacks on cars.

"It will become a situation where - look at Snapchat for example - that attack on their API was well publicised and that will have reduced confidence."

It doesn't take much imagination to think of the abuse this could cause..."
-

At the Consumer Electronics Show, BMW announced a partnership with Samsung's Galaxy Gear smartwatch, whereby the wearer can remotely tell their car to switch its heating on, so the cabin is warm before they leave the house. O'Neill warms that such an interaction between devices - and view the internet - could be hijacked and abused.

"In the US with the cold weather at the moment you can see the advantage of remotely putting the heating on. That's all through API, so if you could monitor that information it doesn't take much imagination to think of the abuse this could cause," O'Neill said.

The data expert said this form of hacking is "exactly like" the hacking of traditional remote car keys, which can be scanned and have their frequencies uploaded to another key, giving a thief access to the car - but because unlocking cars from smartwatches is done via the internet, the hacker no longer needs to be close by.