Some of the most significant technological advancements in recent years have developed in the automotive industry. The rapid rise of connected, autonomous, shared and electric (CASE) technologies continues to turn motor vehicles into veritable computing platforms and data-sharing powerhouses.
While these innovations offer significant advantages, their rise also comes with the downside of increased cyber risk through a widened attack surface. Threat actors increasingly set their sights on exploiting any weaknesses in this larger attack surface, particularly in areas such as connectivity, where security arguably hasn’t kept pace with change. This article provides insight into prominent automotive cybersecurity threats, recent examples of cyberattacks on automotive companies and tips for improving cybersecurity in line with technological changes (including information on complying with the FTC Safeguards Rule).
Automotive cyber threats can either come from physical or remote access, with the latter type of threat becoming more common as vehicle connectivity increases. White hat researchers regularly uncover these threats with proof-of-concept hacks that could be exploited in the wild. Black hat actors are more common now in the automotive sector than white hat, though, with 56.9% of attacks in 2021 being carried out by those with nefarious motives.
From an environmental standpoint, improvements in electric vehicle (EV) technology and increased consumer adoption of these cars greatly reduce pollution. However, recent research into the charging infrastructure that supports these electric vehicles has found serious security flaws that could slow down adoption.
On the face of it, plugging a car into a charger doesn’t sound like it could present a security risk. However, EV charging infrastructure involves the transfer of data between both the car and the charging point. Furthermore, cellular IoT plays an increased role in connecting and orchestrating EV charging stations.
An incomplete understanding of risks and a lack of best practices or industry regulations leaves charging infrastructure ripe for cyberattacks. Threats include fraud, remote manipulation, malware or even completely disabling entire ecosystems of charging points.
Some sources claim that the modern motor vehicle runs on more lines of code than a Boeing 787 Dreamliner. Infotainment systems significantly contribute to this code burden through software and firmware that provides a variety of useful functions to owners, including navigation, video players, USB connectivity, smartphone access and more.
Infotainment systems also provide a potential pathway to electronic control units (ECU), where hackers can even take control of critical vehicle functions and endanger lives. Code vulnerabilities in infotainment systems continue to be uncovered, and as the software gets more sophisticated, hacks on infotainment systems will become more common.
Once reserved for the owners of luxury motor vehicles, wireless key fobs that facilitate keyless entry are now commonplace across many types of vehicles at multiple price levels. A continued security threat from keyless entry is vehicle theft by conducting man-in-the-middle attacks that intercept wireless traffic flows between the key fob and the vehicle.
Using specialized hardware that receives signals from wireless keys, criminals can intercept and relay messages between key fobs and vehicles. These relayed messages bypass authentication by tricking the two components (the key fob and the vehicle) into thinking they are beside each other. The criminals can then simply open the door and drive away.
Motor vehicles contain hundreds of components sourced from various suppliers. This complex supply chain is a significant source of cyber risk, with each component potentially providing an outlet to infiltrate internal systems, hijack vehicle controls or steal data. Threats include malicious updates pushed to connected motor vehicles, insiders deliberately compromising firmware, or malware hitting supplier operations and impacting OEM production capabilities.
While the operational technology side of automotive garners attention for its potential security weaknesses, automotive original equipment manufacturers (OEMs) still face significant threats from ransomware attacks on their IT systems. These attacks can spill over into operations, and, in some cases, cause expensive slowdowns in vehicle production.
Ransomware also poses threats to sensitive data, including consumer data and trade secrets stored on back-end servers and data centers. Companies that don’t cave into ransom demands face the threat of having stolen information published on the dark web in double extortion ransomware attacks. Increased IT/OT convergence can result in threat actors moving from back-end IT systems to control systems from which they can instigate direct attacks on vehicles.
Here is a selection of real-world cybersecurity incidents that occurred in the last couple of years and include the above-mentioned threats:
Standards such as ISO/SAE 21434:2021 and Regulation 155 in the UN’s World Forum for Harmonization of Vehicle Regulations (WP.29) recently introduced important requirements and guidelines related to cybersecurity engineering as a foundation for common understanding throughout the motor vehicle supply chain. A critical element alluded to in both documents is the need for management of the supply chain.
Taking responsibility for supply chain security should include conducting due diligence and properly vetting all supplier parts and components. Make sure suppliers emphasize secure by design principles and adhere to security best practices.
While every party involved has a role to play in securing the supply chain ecosystem and minimizing cyber risks to vehicles, it’s the OEM that this responsibility ultimately comes back to. Accepting this responsibility fosters a cybersecurity culture that reduces risk through greater awareness and vetting of vendor risk.
Threat intelligence can prove a useful tool in fending off cyber threats. Threat feeds could be specifically tailored to the automotive sector for the best outcomes. These sources of threat intelligence must incorporate dark and deep web monitoring for stolen data and credentials.
Monitoring forums, social media and marketplaces can also help detect threats faster, whether these threats come from OEM or supply chain security vulnerabilities that hackers have uncovered and are targeting. Telematics data collected about vehicles is also another good source of intelligence because anomalies can suggest in-progress attacks.
Perhaps the most important way to combat diverse and advanced automotive cybersecurity threats is to take a multi-layered approach to defense. This is important not only because of the CASE technologies that broaden attack surfaces, but also because the aforementioned regulations now require that each vehicle must be secured throughout its entire lifecycle.
A multi-layered approach uses endpoint and network detection and response tools and SIEM solutions, often as part of the toolkit in dedicated security operations centers (SOCs). Segmentation, zero trust, cloud security, data encryption and application security should also be a part of the equation with multi-layered defense.
Not only do OEMs and Tier 1 suppliers need to adopt this multi-layered approach, but also individual dealers and retailers – as evidenced by the recent push to comply with the updated FTC Safeguards Rule.
The FTC Safeguards Rule has been around for nearly 20 years, but recent amendments to the rule introduce more comprehensive controls and added complexity to automotive dealers’ security compliance processes.
Here are some helpful resources if you’re interested in learning more: