There is a lot of recent activity in automotive cybersecurity across multiple segments. The good news is that auto OEMs and their supply chains are adding hardware and software for better cyber defenses. The bad news is that criminal hackers are gaining capabilities and there are more attack surfaces to hack and exploit. In this column, I will analyze and summarize Upstream Security’s cybersecurity data from its four yearly automotive cybersecurity reports.
Adhering to legislative rules is one reason for recent growth in automotive cybersecurity, as is the capabilities of cybersecurity solutions — especially cloud–based services. The growing combination of connected and software–defined vehicles, however, will further expose new attack surfaces.
Detailed information on automotive cybersecurity is limited, mostly because the good guys do not want to tip off the bad guys about what they know and what the do.
In my experience, Upstream Security has the best public information on automotive cybersecurity trends. Upstream has released four yearly reports, the latest in early 2022, on automotive cybersecurity trends with a growing amount of information. Upstream also has a public database of 900+ automotive hacking events that yield more information when needed.
I highly recommend taking a closer look at Upstream information and data — including their extensive portfolio on automotive cloud–based cybersecurity solutions. For example, the first table shows some overall trends over the past 11 years. Not all data points were available for every year.
The number of incidents per year grew dramatically in 2020. Part of the growth may be that Upstream received better information as their customers and reputation grew. But most of the growth is clearly from increased hacker activities. The incident numbers for 2020 and 2021 are based on Upstream’s data base mentioned above and reached nearly 900 for the two years combined. In the first quarter of 2022, Upstream added nearly 70 new incidents.
Another clear trend is the growth of remote hacks, which includes both web–based and nearby wireless attacks such as key fob hacks. Remote attacks have always been the majority and is now about 85%. The remaining attacks are physical in nature, which requires access to a vehicle.
The so–called black hat hackers are cyber criminals looking to cause damage or reap personal gains. On the other hand, white hat hackers try to uncover significant cybersecurity vulnerabilities that need to be corrected. White hat hackers are also called research–based hackers. Many companies have bug reward programs that pay white hat hackers when vulnerabilities are identified. Black hat hackers are increasing their share of cyber attacks and accounted for 57% in 2021.
Vulnerabilities in software components are published as common vulnerabilities and exposures (CVEs) in a program launched by MITRE in 1999. Automotive CVE tracking started in 2015. The CVE threats are commonly found on OEM electronics systems. They may also appear throughout an OEM’s product supply chain. By the end of 2021 there were 249 automotive CVEs and 139 were found in 2021.
The next table extracts the attack vectors that hackers use for automotive exploits. Note that the percentages are based on the cumulative attacks from 2010 to the latest year. The listing order is based on the percentage rank in 2021.
There are several clear signals from these trends:
- Cloud server attacks have become the leading category with over 41% of total for 2010 to 2021. A new issue, the Log4Shell vulnerability, has the potential to further increase server attacks in 2022 and beyond. This vulnerability was discovered in December 2021 and is based on Apache Log4j Java–based logging library and can jeopardize the security of any automotive–related server using this common library.
- Keyless entry method was on top in 2019 and remains a strong second favorite for hackers. It is increasingly used to steal and break into vehicles. See below for more perspectives on the deep and dark web.
- ECU attacks have grown recently and are now in third place with over 12% of all attacks. Domain ECUs are expected to have better cybersecurity, which may help protect this category.
- Mobile apps seem to have both peaked and declined since 2019. With Apple and Google becoming dominant in interfacing apps and infotainment systems, there will be more standardization. This could increase the impact of hacks as many more vehicles could be attacked with a single vulnerability.
- Attacks via the OBD port have also declined since physical attacks are becoming a small portion of all hacks.
- Sensors have remained a secondary issue. With the growing number of sensors in advanced driver assistance systems and future autonomous vehicles, however, it is worth keeping an eye on this category.
Cyber legislation: WP.29 & ISO/SAE 21434
Two cybersecurity regulations will have major impact on all aspects of automotive cybersecurity: WP.29 and ISO/SAE 21434. 2022 will be the first year these two standards will regulate automotive software.
A key requirement of these cybersecurity standards and regulations is that each vehicle must be secured throughout its entire lifecycle — from development and production through all vehicle customer use phases.
This means that OEMs and their supply chains must include multi–layered cybersecurity solutions to protect against current and future cyberattacks.
WP.29 consists of two component: R155 cybersecurity management system (CSMS) and R156 software update management system (SUMS). CSMS is focused on implementing a high level of cybersecurity analysis, while SUMS is dedicated to safeguard software updates during the vehicle lifecycle.
ISO/SAE 21434 is focused on implementing WP.29 CSMS requirements at the beginning of the system design process and enabling OEMs and suppliers to demonstrate due diligence in implementing cybersecurity engineering.
These two cybersecurity regulations have set the stage for what OEMs must do to protect against cybersecurity vulnerabilities. Even with solutions based on these standards, cybersecurity will remain one of the toughest problems in the auto industry — maybe the hardest long–term problem.
Auto–specific threat analysis of the deep and dark web
The internet can often be divided into three segments: Surface web, deep web, and dark web.
The first layer is the smallest and is called the “clear web” or “surface Web”. This part of the internet contains the information accessible and indexed by search engines that most people use daily.
The second layer is the deep web, which contains information that is not indexed by search engines because they require a login to access. For the average individual, these include social media platforms. For hackers, deep web could be imageboards such as 4chan, 8chan, and other websites that provide information for hacking autos and other products.
The last layer is the dark web, where malicious activities, crime, and stolen data are available. The dark web requires the user to have prior knowledge of how to access desired information. Forums or pages are managed by moderators and suspicion is always high due to a lack of transparency among users.
The Upstream report includes important information on the deep and dark web and how they distribute cybersecurity knowledge to hackers, which are summarized below.
The deep and dark web enable automotive cyber criminals to communicate anonymously. There are forums with detailed discussions on how to attack connected vehicles, how to access sensitive data and how to take over and steal a vehicle. Even on the surface web, cyber criminals can find online shops that sell hacking tools, services that disable immobilizers, code grabbers, and tutorials on how to steal a car.
Automotive–related content appears throughout deep and dark web in multiple ways:
- Forums: Automotive–related forums have discussions and posts that deal with chip tuning, engine tuning, infotainment cracking, reverse engineering, vehicle software cracking, key fob modifications, immobilizer hacking, and the exchange of automotive software.
- Marketplaces: A darknet market is a commercial website that operates via browsers such as Tor or I2P. They function as black markets, selling or brokering transactions involving many types of illicit goods. Some automotive–related dark web marketplace listings on the Empire and Genesis markets offered vehicle–related products and services such as forged documents, credentials to access user accounts of smart mobility services, or stolen credentials of automotive application users.
- Messaging applications: The use of mobile messaging apps for illicit activity has grown as more online activity moves to mobile devices. Users are actively abusing popular mobile messaging apps such as Telegram, Discord, Signal, ICQ, and WhatsApp to share automotive hacking methods and ideas and trade stolen account credentials, exploitations of vulnerabilities, leaked source codes, and malware.
Both ISO/SAE 21434 and WP.29 regulations recommend in–depth threat intelligence. New automotive cybersecurity vulnerabilities are consistently published and discussed on the deep and dark web. Hence, it is vital for OEMs and their supply chain to monitor the deep and dark web to get early intelligence.
Such monitoring can reduce the mitigation time between a discovered vulnerability or security breach and the time this information reaches hackers.
Upstream 2022 predictions
Upstream included multiple predictions for 2022 cybersecurity trends. Most are included below:
- Cyberattacks will increasingly target OEM servers and infrastructure. Growth in stored vehicle data will make OEM servers more appealing targets.
- Black hat attacks will continue to overshadow white hat hacking. Attacks for personal gain will outpace research–driven hackers. With the implementation of UNECE WP.29 and ISO/SAE 21434, OEMs and their suppliers have more to lose than before when breaches happen.
- Cybersecurity regulations will redefine automotive data. Regulations will force the ecosystem to better examine data, allowing OEMs and their suppliers to better understand the performance, context, and overall quality of their data. This will lead to more innovations in future vehicle generations.
- Keyless car thefts will continue to rise due to ease of obtaining sophisticated technology. Increasing new car values makes them key targets for criminals. Available hacking hardware and tutorials will increase car thefts, often in record time.
- Vulnerabilities will rise due to fraudsters flooding the market with counterfeit chips. A continued chip shortage provides more opportunities for counterfeiters to distribute fake chips with unknown vulnerabilities.
- Growing emphasis by OEMs on software–defined vehicles. A majority of functionality will be enabled by software. This will pose more future cybersecurity challenges and will require more advanced monitoring and detection capabilities.
- Electric vehicle charging stations will become a growing battleground for attacks. In 2021, hackers showed that charging stations are valuable targets. By exploiting the grid’s network through physical stations, black hat actors will be able to steal data and even disrupt entire fleets.
- More personal identifiable information will be collected by the automotive industry. Growth in subscription models for vehicle functions will require a digital user fingerprint for multimodal mobility functions. This will introduce user IDs as an additional attack vector.
Automotive cybersecurity is a growth industry across all segments as both vulnerabilities and cyberattacks continue to increase, which requires additional cyber solutions, deployments, and regulations.
Cybersecurity has unique characteristics. Investing and deploying cybersecurity is basically an insurance policy to avoid expensive cyber events that could greatly harm a company’s reputation and bottom line.
In the past, hacking events primarily resulted in inconvenience to infotainment users. Now cyberattacks can impact the safety of drivers, passengers, and other road users. This means cyber protection is now on par with functional safety. The resulting cybersecurity legislation is proof that cybersecurity is now an element of functional safety.
Soon, automotive cybersecurity could become an element of cyber warfare between nations. Disabling a few thousand vehicles in key cities would play havoc with a country’s transportation system. We are not there yet, but it is a potential scenario in a decade or so.
It is clear that much future investment and innovation are required in all aspects of automotive cybersecurity!