Key Takeaways from Upstream’s 2024 Automotive Cybersecurity Report

Upstream’s annual Automotive Cybersecurity Report reaches its sixth year of publication in 2024. With the full report stretching to 138 pages, you might not have time to go in-depth with it and read the whole thing. This blog presents some of the key takeaways from the report, along with our thoughts.  

A Cybersecurity Inflection Point 

The report starts by stating that automotive cybersecurity has reached a turning point. Cyberattacks on automotive companies are now evolving toward large-scale, high-impact incidents that endanger safety and disrupt operations. Previously, attacks on automotive companies were more focused on experimental hacking and isolated incidents that affected single systems.

At this inflection point for the industry, an included statistic reveals that high-impact or massive incidents doubled from 2022 to 2023. Research elsewhere suggests German companies face the bulk of these attacks, with U.S.-based automotive companies not far behind. One such incident in 2023 saw automotive supplier Gentex hit with a ransomware attack that leaked five terabytes worth of data.  

But what are the leading causes of the automotive threat landscape being at this concerning inflection point? Chapter three of the report offers potential answers by highlighting diverse attack vectors, including API-based attacks and attacks on EV charging infrastructure.

Infotainment systems continue to pose problems; for example, Ford’s Sync3 infotainment system was found to have a buffer overflow vulnerability that could allow for remote code execution in 2023. Compounding the problem is the increased technical prowess of modern ransomware gangs and other actors.  

Aside from the growing diversity of attack vectors, it’s important not to overlook increased vehicle connectivity as a factor driving higher-impact and large-scale cyberattacks. Modern vehicles can have over 100 electronic control units (ECUs) interconnected through networks like the Controller Area Network (CAN), and they also increasingly connect with each other via vehicle-to-vehicle (V2V) communication and with infrastructure (vehicle-to-infrastructure, or V2I). Upstream’s automotive cybersecurity report alludes to hacks of OEM backend servers that collect telematics data. All of this connectivity has a lot of upside, but the downside is that it moves the threat landscape closer to this inflection point.   

Rising Cost of Automotive Cyberattacks 

The report calls out the rising cost of automotive cyberattacks, presenting examples of costs in specific incidents rather than higher-level, industry-wide figures. The granular breakdown of these financial impacts for specific automotive company use cases is eye-opening. For example, in March 2023, French security researchers demonstrated a time-of-check-to-time-of-use (TOCTTOU) attack on an EV OEM’s gateway system during a hacking contest, allowing them to remotely open the trunk or doors while the car was moving, despite the OEM’s claims this was impossible. The researchers were rewarded with an EV and $100,000, and the OEM is working on software patches to fix the vulnerability via over-the-air updates. Here are some of the financial implications:  

  1. Recalls or Over-the-Air (OTA) updates: The OEM is working on software patches to fix the vulnerability, which will be pushed to cars via OTA updates. The estimated cost of these OTA updates ranges from $1.25M to $2M. 
  2. Vehicle theft: The researchers who demonstrated the remote exploit on the EV OEM’s system in March 2023 claimed they could have gained access to vehicle controls, potentially enabling vehicle theft. Estimated costs from this type of exploit range from $5.25M to $26.25M, assuming 0.01%—0.05 % of the fleet is impacted at $15,000 per vehicle. 
  3. Legal and regulatory fines: The remote exploit could lead to class-action lawsuits if 0.5%—1% of the fleet experiences temporary battery damage, costing an estimated $11M—$21.5M in litigation and settlement costs. 

When you add it all up, total costs could range from $17,500,000 to $49,750,000.  

Looking at larger trends, data reveal that the costs of ransomware in the automotive sector exploded from $74.7 million to $209.6 million by the first half of 2023. System downtime costs caused by cyberattacks increased to $1.99 billion in 2023 (up from $1.3 billion in 2021).  

2024 Predictions 

The final part of the report outlines some general predictions for automotive cybersecurity in 2024. It’s probably no surprise that generative AI gets a mention, but the angle here is that it’ll prove to be a double-edged sword. On the one hand, these models can help automate workflows and generate complex insights from data. On the other hand, threat actors will weaponize them to quickly identify vulnerabilities and perform fleet-wide attacks.  

Another interesting point was related to compliance and regulatory fatigue. With many new and complex cybersecurity regulations and standards being introduced in different parts of the world, companies face a complicated regulatory environment that will prove increasingly challenging to navigate.   

Going beyond the predictions in the automotive cybersecurity report, there will be a greater focus on securing components at all levels of the supply chain and implementing secure-by-design practices to mitigate risks from the outset. Increased collaboration between suppliers and manufacturers will be essential, possibly through shared platforms for threat intelligence and vulnerability disclosures. 

Deep and Dark Web Threats 

The report features an entire section on dark and deep web threats, with researchers finding a 156% increase in deep and dark web activities during 2023. A related and equally important finding was that almost 65% of deep and dark web cyber activities could impact thousands to millions of mobility assets.  

The findings here are interesting, and they align with Nuspire’s own Q1 2024 Threat Report, which saw the dark web and exploit activity increase by more than 50%. Our threat report noted high volumes of listings for email account access, RDP access and stolen accounts, all of which are potential entry points into automotive company networks. Upstream’s report noted some automotive-specific listings like key signal grabbers, key-fob programmers, GPS jammers and radar detectors. 

The report also analyzed discussions about automotive companies on dark web forums and marketplaces. It noted that most revolved around infotainment hacking, car hacking tutorials, and leaked source code and data.  

Despite these findings, it’s worth shifting perspective about the dark web as a hidden source of cyber danger to a valuable and vital source of proactive threat intel. Automotive companies need to monitor these dark web forums and marketplaces to anticipate threats and limit damages. Dark web monitoring can come from a dedicated in-house team or a third-party service.  

Get Help Managing the Evolving Automotive Cyber Threat Landscape 

As the Upstream report highlights, the automotive industry faces a rapidly evolving cybersecurity threat landscape. Attacks are becoming more sophisticated, frequent and damaging – putting vehicle safety, data privacy and brand trust at risk. To stay ahead of these threats, automotive companies need a strong cybersecurity partner. 

Nuspire offers a full suite of services to help the automotive sector strengthen their cyber resilience: 

With over 25 years of experience securing automotive manufacturers, suppliers and dealers, Nuspire acts as a true extension of your security team. Let Nuspire help you navigate today’s complex vehicle cybersecurity challenges, so you can stay focused on building the future of mobility. Contact Nuspire today to learn more.

Have you registered for our next event?