British carmaker MG is now owned by the Chinese state, and is communicating with a Chinese server owned by technology giant Tencent. That is revealed in a joint investigation between Swedish car magazine Vi Bilägare and IT security students at KTH Royal Institute of Technology in Stockholm.
The students have performed a so-called “man in the middle” (MITM) attack on five different cars owned by Vi Bilägare.
“The goal was to see how much data was being sent, and where it all goes”, says IT security student Jacob Ingers who took part in the investigation.
One of the cars was the MG Marvel R, an electric SUV manufactured and sold by Shanghai Automotive Industry Corporation (SAIC), a state-owned automobile manufacturer with headquarters in Shanghai. The MG Marvel R was in constant communication with a Tencent-owned server during the tests.
”We wanted to see how much data was being sent, and where it all goes”, says IT security student Jacob Ingers.
Not illegal, but questionable
Sending data to a Chinese server is by no means illegal in itself, but it raises some important questions, especially since the carmaker is owned by the Chinese state.
Personal data of European citizens has to be stored on servers located inside of the EU, according to the GDPR legislation. There are exceptions, but they are few and Chinese servers are not approved for storing personal data of EU citizens even with these exceptions.
MG claims not to send any personal data to Chinese servers. Instead, the company says that a previous version of the music app – developed by Amazon – inside the car’s infotainment system is sending “log data” to the Tencent-owned server when the music app crashes. That is being done by a bug-reporting service called Bugly which is removed in newer versions of the car’s software.
”It is continuously sending data even though the app has not crashed”
The problem is that the music app never crashed even once during our tests, but the car was nonetheless sending log data to the Chinese server. When we confront MG with these findings, the company’s data security officer, Asmus Eggert, tells us that the bug reporting component is performing a “checkup” every once in a while.
“It is a status log that is being sent and it is being used to analyse when the app crashes. But it is continuously sending data even though the app has not crashed. It is not a secret or hidden component”, he says.
According to MG, no personal data – for example GPS position or the user’s email address – is being included in the status messages sent to the Chinese servers. But that was not possible to verify during our tests.
In addition to the Tencent-owned server, the MG is also sending data to Amazon’s datacenters around Europe, as are the other cars which were investigated. The Seat Leon communicated with as many as 158 different IP addresses during our relatively brief period.
”The Seat Leon communicated with 158 different IP addresses during our relatively brief period”
With only a laptop, IT security students Afruz Bakhshiyeva and Gabriel Berefelt can eavesdrop on the data being sent and received by our cars.
Different view of ”personal data”
Our investigation also reveals that the Nissan Qashqai and Seat Leon is sending data to the USA. Again, that is not illegal in itself, but if personal data is being transferred it is a breach of the GDPR legislation which can result in extremely high penalties for the carmakers.
Both Nissan and Seat insist that no personal data is being sent to American servers. However, the investigation couldn’t confirm that claim. Also, a relatively recent judgement claims that a company can in fact be in breach of GDPR legislation even if it is keeping the data within the EU – if the data can be viewed or processed by a company that is registered outside of the EU.
Also, Swedish GDPR expert Joakim Söderberg questions the common view of what carmakers describe as “personal data”. According to him, almost every piece of data that is being sent from the car can be classed as personal data.
“In each car, there is a unique pattern which is different to the pattern in other cars. If you could identify a single car, you could also identify a single car owner”, he says.
With that interpretation, the methods used by both MG, Seat, Nissan and also Tesla could possibly be classed as illegal.
”As a car owner, you really have to ask yourself if it's worth it”
Well-encrypted
Even though the cars are sending lots of data to a huge amount of different servers, at least it is encrypted.
“All data was encrypted and with a very solid method. It is unreasonable to think that anyone could crack that encryption. We couldn’t do it”, says IT student Jacob Ingers.
New cars can quickly collect several gigabytes of data. But the carmakers don’t always have the car owners’ interests in mind when designing these services.
“This is a phenomenon we can expect to see more of in the future, and it is clearly worrisome. There are large financial incentives to use all these data in different ways, for example to sell it. As a car owner, you really have to ask yourself if it is worth it”, says Pontus Johnson, professor at KTH and responsible for the institute’s new research center in IT security.
However, to simply “pull the plug” and drive around in a disconnected car may not be a great solution. One example is that the navigation system might stop working, making it much more difficult for EV drivers to plan a longer trip with no information about which chargers to use and whether they are occupied or not.
“These services come at a high price”, says Pontus Johnson.
- New cars are collecting huge amounts of data while being driven. A number of sensors are constantly providing information which the car’s central communications device is then sending to different servers for processing.
- The car can for instance know whether a door is open, where the car is positioned, how fast the car is being driven and who the driver is calling.
- New technologies like connected apps, keyless start and real-time traffic information are not only adding convenience for the driver. They can also be a point of attack for hackers, and the car owners also have no easy way of knowing that the data is being processed in a way that safeguards integrity for the driver.
- If carmakers in the future figure out ways to monetise these data, they will certainly make their shareholders happy. According to a report by McKinsey, carmakers stand to make between 140 and 670 euros per car in data sales in the future.
- For a larger carmaker, that equals to billions in revenue – an important aspect when margins on selling new cars is slim and since electric cars will need less servicing than cars with internal combustion engines.
Ämnen i artikeln
Kommentarer till artikeln (0)
Läs kommentarer och diskuteraGenom att anmäla dig godkänner du OK-förlagets personuppgiftspolicy.