You can read the first part of our article Decentralized Automotive Data Economy: Tokenization, Protocols and Infrastructure here.
The growing role of data and connected features in cars is a double-edged sword. On one hand, they provide convenience and new opportunities. On the other hand, they make cars a target for hackers. A modern vehicle is essentially a “computer on wheels” filled with electronic systems and network interfaces. Like any computer, a car is vulnerable to cyberattacks, the consequences of which can be extremely dangerous.
First, scenarios of remote car hacking are real. If an attacker gains access to the vehicle’s internal network, they could theoretically take control of its functions. This may include disabling the brakes or altering sensor readings. Such attacks are no longer science fiction. In 2024, a group of researchers led by Sam Curry discovered a vulnerability in Kia’s online service that allowed remote control of certain functions in any Kia car manufactured after 2013. The same team also managed to remotely hack and track several Subaru models. These cases demonstrate that breaches in cloud services or mobile applications can allow attackers to infiltrate a vehicle. In such situations, not only the data but also the physical safety of the driver and passengers is at stake.
Second, cars are also exposed to more conventional cyber threats. Security experts describe a wide range of attacks on transport systems.
Remote network attacks: Modern vehicles have Bluetooth, Wi-Fi, and cellular modules and connect to the internet for updates or multimedia. If these interfaces are not properly secured, a hacker can find a way to connect to the onboard network remotely. For example, vulnerabilities in the firmware of a telematics module or infotainment system can provide access to the internal network.
Physical attacks via diagnostic ports: The standard OBD-II port allows service technicians to read data and reprogram modules. However, if an attacker gains physical access to it, they can install malware or change vehicle parameters. Internal vehicle buses, such as the well-known CAN bus that connects critical nodes like the engine, brakes, and transmission, were not originally designed with security or encryption in mind. By connecting through an unsecured port or via Bluetooth, an attacker can send fake commands.
Software vulnerabilities and malware: As with any software, the code of electronic control units may contain bugs. If discovered, these can be exploited to extract data or disrupt system operation. Malicious software can be introduced into a vehicle via an infected service computer or a compromised USB drive containing updates. This malware could take control of vehicle functions or encrypt data for ransom. With increasing connectivity, new threats have emerged, such as ransomware targeting cars and blocking key systems until a ransom is paid.
The significance of these risks is underscored by economics. According to VicOne, cyberattacks cost the global automotive industry 22.5 billion USD in annual losses. Approximately 20 billion USD of that is due to data breaches, such as leaks of personal information, travel routes, and more. Almost 2 billion USD is lost to system downtime caused by attacks, and over 500 million USD goes to direct ransom payments following ransomware infections. These figures highlight that data and system protection is a critical factor in building trust in automotive innovations. Tokens alone will not motivate users if there is a risk that their car could be hacked or their personal data could be stolen.
How can a decentralized data economy be built in light of such threats?
First, automakers and equipment manufacturers must adhere to the principle of “Security by Design” — security embedded from the design stage. Any communication interface, whether it is a car modem or an API for accessing telemetry, must have multilayer protection. Data encryption is a necessary standard. Everything transmitted from the car to external networks must be encrypted with modern cryptographic protocols to ensure that intercepted data is useless to attackers. Device authentication and authorization is another foundation. Only trusted devices and services should be allowed to access the vehicle and its data. For example, in the case of DIMO, telematics modules are certified and cryptographic keys are embedded in them, so the network only accepts data from genuine nodes.
Second, beyond basic security, decentralized networks strengthen protection with blockchain mechanisms. Recording data on a distributed ledger ensures that once transmitted, information becomes immutable and verifiable by all participants. Even if an attacker attempts to falsify uploaded data, such as altering odometer readings to digitally “roll back” mileage, they cannot do so without the consent of the majority of nodes. Blockchain guarantees data integrity and enables transparent auditing, allowing anyone to track which device sent which piece of telemetry and when. In addition, smart contracts that govern reward distribution operate automatically according to predefined rules, eliminating the human factor in fraudulent data payments.
Third, threat monitoring and response systems are being integrated into connected vehicles. The introduction of Intrusion Detection Systems (IDS) for vehicles is gaining popularity. An IDS monitors network traffic and commands within the car. If something unusual occurs, such as a brake disable command sent from the wrong module, the system reacts by alerting the driver or blocking the suspicious activity. In decentralized networks, IDS units can work collectively, sharing information about detected attacks so that other vehicles can also take precautions.
It is also important to consider the role of over-the-air (OTA) software updates and remote vehicle settings management. These functions are convenient because they allow manufacturers to fix bugs or improve vehicles without a dealer visit. However, they also pose risks. Intercepting an OTA update or breaching the Vehicle-to-Everything (V2X) channel can give a hacker control over multiple cars at once. Therefore, update delivery must be secured through encryption, digital signature verification of firmware, and access restrictions. Blockchain can also be used here. Manufacturers are exploring it to verify firmware authenticity by recording the hash of each software version on the ledger. The vehicle will only install an update if it finds a valid signature in the blockchain, which prevents the spread of counterfeit firmware.
Finally, regulators play an important role in security. Legislation is trying to keep pace with technology. Since 2022, the European Union has required all automakers to integrate cybersecurity measures into new models, including protection of communication channels and regular risk audits. The United States does not yet have unified mandatory standards, but there are NHTSA recommendations and strong pressure on companies to follow best practices voluntarily. For decentralized platforms, this means that entering the market is only possible with the highest level of trust in security. Projects such as DIMO or DTEC undergo multi-stage code and infrastructure audits. For example, after launching its token, DTEC was audited by CertiK and ranked among the top 50 most secure blockchain projects in the world. Independent cybersecurity audits are now a necessity for any Web3 automotive solution.
Privacy and Protection of User Data
Monetizing automotive data inevitably raises questions about privacy. Such data can be highly sensitive. It can reveal where a person lives and works, how often and where they travel, as well as aspects of their lifestyle and even personality through their driving style. For users to be willing to share this information, personal data protection must be guaranteed at every stage of processing.
First, as already noted, decentralized platforms are built on the principle of privacy by design. Data anonymization is a fundamental approach. No buyer receives raw data linked to a specific owner’s name or VIN. Instead, aggregated and anonymized pools are used. For example, a platform might collect annual fuel consumption data from 1,000 cars of the same class and sell only the averaged statistics. In such cases, personal identification through the sold data is impossible. DIMO explicitly states that no one can buy data from your specific vehicle or track you via GPS through their platform. Only large anonymous datasets are available. This solves the problem faced by some telematics startups in the past, where users feared they were “selling themselves” along with their data.
Second, flexible consent settings are important. The user can choose which categories of data to share and which to keep private. Someone might agree to share technical information about the engine but not location data, or vice versa. Web3 application interfaces usually provide fine-tuned privacy controls. Furthermore, users can set automatic rules, such as “do not track routes within 1 km of home.” These are known as “safe zones,” where geolocation data is temporarily not recorded. This allows the owner to maintain control over the boundaries of their private life even while using a shared data network.
Third, compliance with data protection laws is essential. Different markets have strict regulations, such as GDPR in Europe and CCPA in California. Decentralized platforms must comply just as traditional companies do. This includes transparent privacy policies, collecting only the data for which explicit consent has been given, allowing users to delete or download all of their data on request, and ensuring secure storage. In the Web3 model, some responsibility can be shifted to users, with their data stored locally or on personal devices while only hashes or anonymized tokens are stored on the blockchain. However, platform operators, such as non-profit organizations or decentralized autonomous organizations (DAOs) managing the protocol, still commit to following general norms.
When DIMO expands to new countries, such as its recent entry into Japan, it declares compliance with local privacy laws and adapts to the requirements of local automakers. This shows that even decentralized projects actively account for national regulatory standards, such as Japan’s PIPA or Europe’s GDPR, to build trust among users and partners.
One more question arises. Does blockchain contradict the right to be forgotten? Since data recorded in a distributed ledger remains there permanently, this is a valid concern. The solution in this field is to store not the raw personal data itself in the blockchain but its cryptographic hash or a link to it. The confidential information is stored off-chain in secure distributed storage, and the blockchain contains only proof of its existence or integrity. If a user requests deletion, the off-chain data is erased, making the blockchain reference meaningless. A hash on its own does not reveal personal information. This approach combines the advantages of ledger immutability with privacy requirements.
Balancing monetization and privacy is extremely delicate. The success of such platforms largely depends on convincing people that their data will not be leaked or misused. Technically, this is achieved through a combination of methods. These range from anonymization and aggregation to advanced cryptographic techniques like zero-knowledge proofs, which may eventually allow insights to be derived from data without revealing the data itself. For now, even simpler measures are sufficient to make users feel: “I control my data, and only I decide how to capitalize on it.”
