SDBR News: Of the 90 million vehicles (cars, trucks and buses) produced worldwide in 2024, 31.3 million were produced in China, or 34% of the global total. In France, BYDs, Xpeng, Beiking, and Hongqis are visible in the open. Regardless of the economic situation, you are warning of another danger. Which one?

Nate Drier: I think the danger with connected cars, especially ones produced in China, is the amount of telemetry they can collect, and ultimately who is securing that data. Think of a modern car – it has cameras and lidar sensors to detect all of its external surroundings. It can have internal cameras and microphones. It knows its own location via GPS, and can upload all the telemetry it collects via WiFi or LTE / Cell. It can record live video of your commute to work, the government buildings you pass along the way, and the conversation you’re having while driving. In addition, by plugging in your phone, you’re giving the car access to a whole new realm of data – your calls, messages, and contacts.

From here, there’s really 2 questions to answer: 

1. What is the auto manufacturer’s intent with all that data? Could they sell it, or mine it for their own gain? Could that auto-manufacturer’s own government force them to hand over the data?

2. Does that auto manufacturer do an adequate job of securing the data they collect, or could threat actors obtain it?

SDBR News: Why do you say that the personal data of Chinese vehicle users is likely to be compromised? Can you give us a concrete explanation of the possible compromise scheme?

Nate Drier: You plug your phone into a car, and click the ‘trust’ button so your phone can work in hands-free mode with the car’s infotainment. The car’s onboard computer can now read your contacts, your text messages, and more. It uploads it to the car manufacturer's cloud environment – which is either then sold or transferred to third parties, or the cloud environment gets hacked and the users’ personal data is obtained by hackers.

Specifically for Chinese-made vehicles, their laws require that the data be stored within its borders, and that its government be granted broad access to it.

SDBR News: I have a German car with an on-board communication system connected to my Smartphone. So am I also at risk of compromising my data?

Nate Drier: The regulatory landscape in Germany differs from China in a few ways (thanks to GDPR), so there is less risk of a government forcing an auto manufacturer to hand over data. However, that German car can still collect lots of data about its surroundings and passengers, upload it to a location with security vulnerabilities, and then be accessed by hackers.

SDBR News: What is the antidote? Don't buy Chinese, don't buy electric vehicles anymore or, more broadly, don't connect your Smartphone elsewhere than at home on a trusted Wi-Fi?

Nate Drier: Your phone contains a treasure trove of information about you. The best antidote here is to be careful where you sync it to. More broadly, I think awareness on how we share our data is key. Know that there are endless gadgets in our life that collect data on us – phones, cars, smart-home gear, computers, etc. Know that in using these things, we agree for those companies to use/access our data. They can be good stewards of that information – keep it secure, or they can transfer / sell it to third parties, or leave it unsecured so it gets hacked. There is some level of trust that they will do the right thing, but history shows us that’s not always the case. Therefore, we can take some of the responsibility to careful how we share out data in the first place. Of course, we like all the comforts that modern cars and phones provide, but that comes with the potential risk of your personal data.

SDBR News: What is the role of the “Sophos Read Team”?

Nate Drier: We provide offensive security testing services, which aim to find vulnerabilities in systems before hackers do. This includes things from corporate computer networks and web applications, to medical devices and autonomous vehicles.

About Sophos

Sophos is an innovative global leader in advanced security solutions that neutralize cyber attacks. The publisher acquired Secureworks in February 2025, bringing together two pioneers who redefined the cybersecurity industry with their innovative services, technologies and products, powered by native artificial intelligence. Sophos is headquartered in Oxford, UK.

For more information, visit www.sophos.com/fr