Not Sure Your Car Withstands Cyberwarfare

TL;DR

This paper evaluates the privacy policies of BMW and Mercedes to assess their compliance with GDPR, revealing significant gaps that could threaten driver data security in cyberwarfare scenarios.

Contribution

It provides an analysis of automakers' privacy policies against GDPR standards, highlighting compliance gaps and potential security risks for modern vehicles.

Findings

Both brands are imprecise about GDPR compliance.

BMW shows slightly better compliance than Mercedes.

Potential for cars to be used against drivers in cyberwarfare.

Abstract

Data and derived information about target victims has always been key for successful attacks, both during historical wars and modern cyber wars. Ours turns out to be an era in which modern cars generate a plethora of data about their drivers, and such data could be extremely attractive for offenders. This paper seeks to assess how well modern cars protect their drivers' data. It pursues its goal at a requirement level by analysing the gaps of the privacy policies of chief automakers such as BMW and Mercedes with respect to the General Data Protection Regulation (GDPR). It is found that both brands are still imprecise about how they comply with a number of GDPR articles, hence compliance often results non-verifiable. Most importantly, while BMW exhibits slightly broader compliance, both brands still fail to comply with a number of relevant articles of the regulation. An interpretation of these findings is a non-negligible likelihood that your car may turn against you should cyberwarfare break out.