Car makers deliver online purchases to your vehicle

Volvo and Audi are trialling the delivery of online purchases direct to their customer's vehicles, by handing delivery companies location tracking data and a one-time digital code to access shoppers' cars.

Volvo today revealed it has partnered with an online grocery retailer, online toy and baby retailer and the PostNord delivery company in Gothenburg, Sweden to test the service, which is currently only available to subscribers of Volvo's 'on-call' service in the city.

The company plans to extend the service to other areas of Sweden and other countries in the future, as well as partnering with more online retailers following positive feedback from the trial.

"Volvo is not interested in technology for the sake of technology. If a technology does not make a customer's life easier, better, safer or more fun, we don't use it," Volvo CIO Klas Bendrik said in a statement.

The car maker is reportedly working with insurance companies to ensure the deliveries are covered if something goes wrong.

Audi started testing a similar scheme in May in Munich, Germany. It partnered with delivery company DHL to deliver Amazon Prime packages to Audi vehicles.

The process for the Volvo and Audi services appear similar: customers select in-car delivery at checkout and agree to location tracking for a set delivery window on the delivery day, or provide an approximate location of where their car will be within a one-hour window on the delivery day.

The driver for the logistics company is given a one-time digital access key that opens the boot so the products can be delivered. The code expires either when the boot lid is shut, or at the end of the delivery window.

Is it secure?

But in-car software is notoriously insecure, and security researchers are questioning whether car makers can guarantee the safety of vehicles owned by customers that sign up to the scheme.

HackLabs director Chris Gatford said customers would likely flock to the service whether or not it contained security vulnerabilities.

"It's extremely rich for attack," Gatford said.

"You've got the mobile application, the authentication mechanism, how the digital keys are being delivered, the web applications themselves - this is a very extensive attack surface, and I'm sure attackers will be interested in having a look at it."

He said car manufacturers didn't have the best track record when it comes to performing security assessments on in-car software.

"In recent times we've seen some severe information security vulnerabilities in cars that allow people to remotely control them," he said.

"When you've designed a function specifically for allowing third parties to access your car, other than the social problems - cars being accidentally left open, abuse by third parties - the technical issues are probably quite extenstive.

"I haven't seen [Volvo and Audi] engage with the information security industry, and that's not to say they haven't done extensive security testing given the risk, but it never ceases to amaze me the types of things organisations skim over when rushing to market with new features."

Volvo has been contacted for detail on its approach to IT security, including whether it encourages vulnerability reporting by external parties or engages in third-party audits of its software.

Security researcher Troy Hunt said the service had the potential to be secured well, but its online nature opened up the potential for abuse.

He said the remote hack of a Jeep earlier this year demonstrated that car manufacturers needed to apply the same rigour to securing their products as consumers have come to expect elsewhere.

"Whether it's cars or the internet of things, are manufacturers focused on selling the product more than securing it? That's going to be the concern," Hunt said.

"It's worth noting car manufacturers are starting to take security more seriously - Jeep jumped on top of [its breach] quickly. The industry is aware that they need to take it seriously, but I think we are going to go through a bunch of these issues initially." 

PwC cyber security director Wouter Veugelen said attack vectors existed in both the mobile applications used to open the car boot and the IT infrastructure supporting connectivity between the app and car software.

"As organisations aim to get their products to the market before competitors, a lot of them adopt agile methodologies for software development, and not necessarily providing cyber security the correct level of consideration throughout the process," Veugelen said.

"Given the impact cyber security vulnerabilities in cars can cause goes beyond monetary, financial and/or reputational impact, these security vulnerabilities can result in the loss of lives as well.

"The events that made the headlines that past year on car hacking should be an incentive to car manufacturers to give cyber security risk management the appropriate consideration."