Taking security out for a drive

Maintaining a meaningful security stance as new technology arrives can be a big ask, especially when the convenience and utility outweighs the concern for information safekeeping.

Consider this: do your users access sensitive data on their smartphones and tablets? And connect the devices to their cars with Bluetooth?

If the answer to the first question is “yes”, and that would be true for many organisations, you may want to check how securely your employees’ cars handle the feature.

This was literally driven home to me recently when I started driving a car that had formerly belonged to a lawyer at a large firm who had connected a phone to the vehicle for hands-free operation.

When trying to pair my device, the onboard computer notified me that the previous driver’s phone was still registered with the car, along with those of three previous drivers.

A quick read of the manual revealed that the Bluetooth connection kit made a copy of the phone’s contacts and stored them in the car’s system. In other words, the car contained the contact books of four previous owners, and possibly more.

Although it’s convenient and easy to set up and use, a security-minded admin would immediately wonder what authentication protocols the system had in place to ensure nobody else, apart from the holder of the data, could access the relevant stored information.

The manual provided no insight as to how the data was stored or encrypted. Given authentication was as simple as a car key and an initial pairing, security probably wasn’t high on the priority list when the system was developed.

You may have a mobile device management policy that enforces lockscreens for users, long passphrases and encrypted, partitioned smartphones to protect the data stored on them in case of loss or theft, but all of those measures are defeated when a user connects to a hands-free kit and the data is siphoned off to the car.

You can nuke their lost and stolen devices from orbit but not remotely erase the device data stored in their vehicle.

There’s potential for data to be leaked at each service and you can’t really ask your users (or company fleet managers) to reset the onboard computer each time the car isn’t with them - and restore the settings when it’s back.

Even if the registered phones are erased, it’s not clear that the system does this securely, and that it actually deletes all the data.

Plugging this potential leak by being a security sadsack that bans users from hands-free Bluetooth car kits or disables their use isn’t going to go down well, but the other option is to find systems that are secure, certified and installed on your users’ vehicles and well… good luck with that.

This type of risk is not the first of its kind, and it won’t be the last. However, it shows that you need to be aware of how your users interact with the technology at their disposal and mitigate the risks accordingly - if possible, that is. Sometimes convenience will win out.