Where the theft of a car once required access to an individual vehicle, cyber criminals can now take control remotely from anywhere on the globe. Here is a Hollywood version of a frightening city-wide vehicle hack. Actual attacks can include any of the numerous vectors corresponding to the external and internal communication channels of the vehicle such as:
Upon gaining a foothold within any of the vehicle’s myriad systems , a malicious exploit will look for ways to locate and attack its target which can be exfiltration of data or interference with the performance of one or more Electronic Control Units (ECUs). The exploit will attempt to jump laterally either to alter the code or memory of an ECU, by corrupting the operation of an ECU via illegitimate messages over one of the buses, or by finding a store of valuable data and uploading it to a command and control center via the vehicle’s internet or mobile connection.
Individual car and truck owners, suppliers whose goods are delivered by truck, automotive manufacturers, fleet owners and managers, and insurance companies are significantly exposed to the risks of cyber attack. Owners can lose their very vehicles or the ability to use them. Valuable cargoes can be diverted and stolen. OEMS can suffer massive liability for hacked vehicle models and severe damage from a ruined reputation. Fleet owners and managers can suffer the shutdown of their entire fleet and a steep monetary loss. Insurance companies can suffer astronomical liabilities for any of the above not to mention risking the lives of drivers and passengers.
An attack on any of these levels in the fleet architecture can have devastating effects: Brand reputation: If the emissions scandal caused Volkswagen’s brand serious damage, just imagine the damage that can be caused if an entire car fleet gets hacked. Massive liabilities: From risking or taking lives of drivers and passengers to physical damage to people, cars, cargo, highways and cities, as well as the crippling disruption of operations and monetary losses.
Connected vehicles may be subject to all the cyber types of attacks that IT networks and endpoints suffer, now and going forward. Since connected vehicles store valuable driver and consumer data, we can expect these nuggets of personally identifying information to be prized targets. To guard against such attacks, security teams must deploy Intrusion Prevention and Detection Systems and Security Operation Centers (SOCs) staffed 24/7 with security analysts from Tier 1 to Tier 4 for vehicle hacking protection. The industry will cooperate on timely threat intelligence to keep all OEMs and suppliers up to date concerning threats, their identification and appropriate response. We can expect a concentration of organized syndicates to target vehicles specifically because the cyber-stakes are so high. The attack vector of choice will have vehicle ransomware as its ultimate goal, the ability to force drivers, owners, fleet operators, manufacturers and others to pay a ransom to continue to use their automobiles. About 40% of enterprises were hit by IT-related ransomware last year costing businesses more than 1 billion dollars. We can expect such numbers to carry over to the 280 million connected vehicles on the road projected by 2020. While the current rate of ransomware payout in the IT world is $500 per endpoint per incident, the figures will be much higher for cars and still higher for trucks. According to, Cyberventures, a leading researcher and publisher covering the global cyber economy, ransomware damage costs will rise to $11.5 billion in 2019 and a business will fall victim to a ransomware attack every 14 seconds by that time.” Large fleets will be hit up for millions of dollars (preferably paid in cryptocurrency) to get their cars and trucks back into operation. Elon Musk, founder and CEO of Tesla has stated, “I think one of the biggest risks for autonomous vehicles is somebody achieving a fleet-wide hack.” It is not just the newer connected systems which are vulnerable to interference either, as even the standard and long-time serving components can be a target for attack as proven with recent CAN bus hacking demonstrations. Because the stakes are so high, we can expect ransomware attacks on cars and other vehicles to attract the elite among hackers. In fact, we will see nation-state actors get involved in this “lucrative” practice making the job of defense tougher than ever and enforcement of international laws and regulations extremely difficult. Nobody blames Dell or Asus for a ransomware attack that strikes their laptops in a given enterprise. However, in the case of vehicles, the damage to the reputation of a car manufacturer could be astronomical as consumers shun their products for more cyber-secure models. Therefore, we must be wary of players at all levels in the automotive supply chain trying to gain a competitive advantage by delivering a payload of ransomware or other type of attack against a rival’s products.
Cybersecurity best practices are still under development. Taking their cue from IT sources, connected-vehicle manufacturers, owners and insurance companies are developing standards. But as the vehicle poses numerous unique risks, and the threats are still in the infant stage, they are still learning. Legislators are rapidly addressing the moving target of automotive cybersecurity. In North America, Europe and Asia, studies are being conducted and bills passed, but attack vendors are still growing. The long arm of American or British law is hard-pressed to extend into Russia or China. Total international cooperation is required, but probably will not be forthcoming any time soon.
Shutting down vehicle operations is certainly an effective and headline-grabbing way to extract ransom or ruin reputations. However, a more insidious attack focused directly on the safety aspects of the vehicle might be more effective, e.g., causing a horrific traffic accident in one single vehicle with the threat of more to come if significant bitcoins are not delivered.
To combat this treacherous, insidious threat, GuardKnox’s Communication Lockdown™ technology delivers a threat-agnostic, deterministic solution that does not rely on heuristics and machine learning, but thwarts safety-related attacks in real time.
The hacking of vehicles began in 2002 with fuel injectors as the target. By 2005, wireless communication hacks were used to intercept in-car signals. 2010 saw the first “bricking” of cars (making them undrivable). The big “breakthrough” that set the industry on edge came in 2015 with the first remote commandeering of a moving vehicle.
And the hacks keep on coming: