Vehicle hacking
is here to stay

Download Automotive Cybersecurity Standards

IS THE THREAT REAL?

Vehicle hacking has constantly been making headlines over the past decade. As the automotive paradigm shift moves the industry to fully connected vehicles supporting customized driver experiences, those vehicles have become viable targets for cyber attacks. While the world has yet to suffer from a massive attack, its potential damage is terrifying.

To combat this, OEMs are investing in automotive cybersecurity solutions and bug bounty programs for white hat hackers, while the hacks keep on coming. Vehicle hacking is a clear and present danger that requires foundational design solutions like any other connected system to keep us safe on the road.

VEHICLE HACKING SPREADING
LIKE A DISEASE

Where the theft of a car once required access to an individual vehicle, cyber criminals can now take control remotely from anywhere on the globe. What was once an exciting scene in a Hollywood film is now very close to reality.

According to a FBI bulletin, vehicle hacks “have resulted in ransomware infections, data breaches leading to the exfiltration of personally identifiable information, and unauthorized access to enterprise networks,” They continue to warn, “the automotive industry likely will face a wide range of cyber threats and malicious activity in the near future as the vast amount of data collected by Internet-connected vehicles and autonomous vehicles become a highly valued target for nation-state and financially motivated actors.”

Hackers and cyberthieves are constantly devising new techniques to steal personal and financial data, install ransomware and even take control of vehicles on the road. Any system in a vehicle connecting to the Internet, fleet management software, or an EV charging network is a potential entry point.

Upon gaining that foothold, a malicious exploit will look for ways to locate and attack its target. The exploit will attempt to jump laterally either to alter the code or memory of an ECU, by corrupting the operation of an ECU via illegitimate messages over one of the buses, or by finding a store of valuable data and uploading it to a command and control center via the vehicle’s internet or mobile connection.

EXPOSURE

Individual car and truck owners, suppliers whose goods are delivered by truck, automotive manufacturers, fleet owners and managers, and insurance companies are significantly exposed to the risks of cyber attack. Owners can lose their vehicles or the ability to use them. Valuable cargoes can be diverted and stolen. OEMs can suffer massive liability for hacked vehicle models and severe damage from a ruined reputation. Fleet owners and managers can suffer the shutdown of their entire fleet and a steep monetary loss. Insurance companies can suffer astronomical liabilities for any of the above not to mention risking the lives of drivers and passengers.
Autonomous vehicle hacking can create citywide chaos. According to a 2019 study, if 10%-20% of autonomous vehicles were hacked in Manhattan, half the city would become inaccessible, leaving millions stranded and in potential danger.

As the flagship for connected vehicles, the most publicized vehicle hacking has targeted Tesla with the first remote hack in 2016 by the Chinese Keen Security Lab compromising the CAN bus. This was followed by the widely publicized hack at Pwn2Own 2019 by Amat Cama and Richard Zhu through the Tesla 3’s infotainment system and then in 2020 the bluetooth key fob hack on the Model X by Lennert Wouters, a security researcher at Belgian university KU Leuven.

Although they are often targeted, Tesla are not the only vehicles facing constant hacking attacks. In fact, all the top 2020 cars have Internet connections to safety critical systems creating vulnerabilities to fleet wide hacks. The number of reported successful vehicle hacks almost doubles every year and the vast majority of these hacks occur remotely. It is chilling to consider the potential personal and national consequences of losing control of cars, buses and trucks on city roads and highways.

Image: The Fate of the Furious movie

VEHICLE RANSOMWARE, CAN BUS HACKING - TYPES OF ATTACKS

Connected vehicles may be subject to all the cyber types of attacks that IT networks and endpoints suffer, now and going forward. Since connected vehicles store valuable driver and consumer data, we can expect these nuggets of personally identifying information to be prized targets.

To guard against such attacks, security teams must deploy Intrusion Prevention and Detection Systems and Vehicle Security Operation Centers (VSOCs) staffed 24/7 with security analysts from Tier 1 to Tier 4 for vehicle hacking protection. VSOCs keep vehicles and their operational databases secure just like SOCs keep organizational networks secure. VSOCs collect and monitor data from vehicle fleets raising alarms when there is a detected threat and forecasting the probability of failure for each vehicle component.

$20B50% of enterprises were hit by IT-related ransomware costing businesses $20B in damages.
381MWe can expect such numbers to carry over to the 381M connected vehicles on the road.

The industry will cooperate on timely threat intelligence to keep all OEMs and suppliers up to date concerning threats, their identification and appropriate response. We can expect a concentration of organized syndicates to target vehicles specifically because the cyber-stakes are so high.

The attack vector of choice will have vehicle ransomware as its ultimate goal, the ability to force drivers, owners, fleet operators, manufacturers and others to pay a ransom to continue to use their automobiles. Over 50% of enterprises were hit by IT-related ransomware last year costing businesses 20 billion dollars.

We can expect such numbers to carry over to the 381 million connected vehicles on the road today. While the current rate of ransomware payout in the IT world is $500 per endpoint per incident, the figures will be much higher for cars and still higher for trucks. Large fleets will be hit up for millions of dollars (preferably paid in cryptocurrency) to get their cars and trucks back into operation. Elon Musk, founder and CEO of Tesla has stated, “I think one of the biggest risks for autonomous vehicles is somebody achieving a fleet-wide hack.” It is not just the newer connected systems which are vulnerable to interference either, as even the standard and long-time serving components can be a target for attack as proven with CAN bus hacking demonstrations.

“I think one of the biggest risks for autonomous vehicles is somebody achieving a fleet-wide hack.”

Elon Musk, founder and CEO of Tesla

Because the stakes are so high, ransomware attacks on cars and other vehicles attract the elite among hackers. In fact, we will see nation-state actors get involved in this “lucrative” practice making the job of defense tougher than ever and enforcement of international laws and regulations extremely difficult. Nobody blames Dell or Asus for a ransomware attack that strikes their laptops in a given enterprise. However, in the case of vehicles, the damage to the reputation of a car manufacturer could be astronomical as consumers shun their products for more cyber-secure models. Therefore, we must be wary of players at all levels in the automotive supply chain trying to gain a competitive advantage by delivering a payload of ransomware or other type of attack against a rival’s products.

LEGISLATION

Cybersecurity regulations are in development today as the International Standards Organisation (ISO) and the Society of Automotive Engineers (SAE) are creating ISO/SAE 21434, the worldwide standard for automotive cybersecurity. At the same time, the United Nations Economic Commission for Europe’s (UNECE) Sustainable Transport Division’s World Forum for Harmonization of Vehicle Regulations (WP.29) has developed a regulatory framework to make vehicle technological innovations safer and more environmentally friendly.

However, even with added focus from legislative bodies, there is no way that they will be able to catch up to black hat hackers who act independently with no oversight or legislative processes. The solution must come from secure by design architecture that can defend against vehicle hacking attacks.

SAFETY

Security effects safety. If a vehicle is not secure, then it is a safety hazard for its passengers and everyone in its environment. But it doesn’t end just there. We need to keep in mind that virtually all vehicles today are connected and commercial fleets are essential for driving the global economy. Automotive cybersecurity will likely become a matter of national security. Just like in the past seatbelts, rear view mirrors and baby car seats were optional, cybersecure protection from vehicle hacking will become essential national legislation. To design a secure computer system, two core methodologies must be employed from the initial design stage:

  • Security by design – risk identification and countermeasure definition
  • Defense in depth – limit or nullify the propagation of a compromised system element

While there are no set rules for every component in the vehicle, one goal must guide all systems and configurations – a breach cannot endanger the safety of a vehicle’s passengers or those in its vicinity. To combat this treacherous, insidious threat, GuardKnox’s Communication Lockdown™ technology delivers a threat-agnostic, deterministic solution that does not rely on heuristics and machine learning, but thwarts safety-related attacks in real time.

A BRIEF HISTORY OF CONNECTED-CAR HACKS

The hacking of vehicles began in 2002 with fuel injectors as the target. By 2005, wireless communication hacks were used to intercept in-car signals. 2010 saw the first “bricking” of cars (making them undrivable). The big “breakthrough” that set the industry on edge came in 2015 with the first remote commandeering of a moving vehicle.
Today, over 80% of hacks are remote and are most commonly fall into one of these categories:

  1. Key Fob Hack the malicious actor will clone the signal that a car and computerized key use to communicate with each other
  2. Server Hack – these can be the most dangerous type of hack, as accessing a central server provides access to personal data, company data and even the controls of every vehicle connected to it
  3. Mobile App Hack – the smartphoneization of vehicles is happening and with the extreme growth in vehicle apps comes an extreme growth in attack vectors. Each app is an additional avenue into a vehicle

Ingenious methods  to hack into connected cars are being devised every day and the Cybertech Tier is here to provide the necessary automotive cybersecurity with secure by design architecture.


Here is a review of some of the most notable vehicle hacks through the years:

Want to hear more?

Contact us to speak to one of our architecture specialists today

Contact Us