Two stories this week highlight some of the unexpected consequences of connecting your car to the internet. The first story concerns a Florida woman whose Ford vehicle, equipped with sensors and connected to the internet, automatically reported her hit and run crash to the police. According to ZDNet, “57-year-old woman Cathy Bernstein allegedly hit a truck before ploughing into a van on Prima Vista Boulevard, fleeing the scene after each collision. While Bernstein allegedly ran for the hills, her car had already recorded the crash and automatically contacted 911 after recording the time and date of the collision.”

Bernstein’s car had the 911 Assist feature enabled, a part of Ford’s SYNC technology, an in-vehicle communication and entertainment system. According to Ford, the feature is activated when an accident deploys a vehicle’s airbags or activates the emergency fuel pump shut-off. It then uses your Bluetooth-connected phone to call 911 and communicate the accident details and location, before initiating a voice call with the 911 operator. It is intended to help the victims of a crash who are unable to contact emergency services. In this case, when the voice call was initiated, the driver denied the accident but was later arrested based on this initial automated call. This unintended consequence of an internet-connected vehicle could curb hit-and-run incidents in the future as more drivers fear their car will ‘snitch’ on them. 

The second story involves a discount car tracking and immobilization gadget. The gadgets are intended to serve as hidden GPS devices that can track a vehicle’s location, record in-car conversations with a microphone and allow a user to remotely shut off the fuel supply, disabling the vehicle’s movement through an internet connection. Sold by a company called ThinkRace, these tracking devices are intended to be used in case of car theft or to simply track vehicle activity through a remote website. 

At the Kiwicon security conference in New Zealand, researcher Lachlan (skooch) Temple presented a vulnerability in the devices that could allow remote attackers to hijack the GPS tracker and use it to locate the vehicle, eavesdrop using the built-in microphones and disable the fuel supply. In a presentation entitled, “A Bitter Story of Aftermarket Vehicle Tracking & Control,” Temple said that session cookie vulnerabilities could allow cybercriminals to log into any of the units and take control of the device. "You just brute force everyone's account," Temple told Vulture South, "You could disable someone's car if they have wired the relay, so if that happened on a freeway that is pretty dangerous.”