There’s a rat under the hood

As cars, trucks and vehicles spruce up on more software, connectivity, intelligence and V2X delights; they also face the cracks that come with the bundle. Security fears here have moved beyond the broken window. Is it turning towards the broken window theory, though? Will attackers accelerate once they see the state of vehicles today?

Dom Toretto may not have seen this coming. Having raced against the toughest and roughest of rivals, in the most inhospitable conditions ever imagined, he would still not have imagined that a cyber-terrorist would be so mercilessly fast and furious. And that she would push his buttons sitting far away in her armchair, and not on the steering wheel. But what we saw in ‘The Fate of the Furious’ does not seem too far-fetched today. A car fitted with all those tech bells and whistles can be easily hacked or hypnotised and forced to join thousands of others for the nefarious plans of any cipher sitting far away. These cars can cause chaos. They can rob people of their data. And even wreck carmakers with data thefts and ransom demands.

Yes, gone are the days of car burglaries and smash-and-grab attacks. Cyber-attacks are revving up for a new tarmac—the automotive industry.

There’s Petrol, spilled on the road

Let’s reverse a little bit. Somewhere in 2016. As reported in The Guardian, a bunch of researchers from the Keen Security Lab showed how simple it can be for hackers to remotely control a Tesla Model S from a distance of 12 miles.

Fast forward to today and almost every car brand – from Ford to Volkswagen and Toyota has come under the lens of cyber-threats. As reviewed in ‘Privacy Nightmare on Wheels’ by Mozilla Foundation, many cars failed the privacy test. Mozilla’s latest edition of ‘Privacy Not Included’ revealed how 25 major car brands collect and share deeply personal data—that covers things as shocking as sexual activity, immigration status, facial expressions, weight and genetic and health information. There is BMW, Ford, Toyota, Tesla, Kia, and Subaru in the list of companies that can collect such deeply personal data. It is being done through sensors, microphones, cameras, car apps and the phones and devices drivers that connect to their cars along with vehicle telematics. While brands can share or sell this data to third parties, there is also a not-so-hard-to-guess possibility—hackers sneaking into this data without much trouble or friction.

“I don’t think most auto-buyers (i.e., consumers) are very knowledgeable about cyber-security issues related to the smart devices in modern cars. The above notwithstanding, In my opinion, the elephant in the room is the ‘economic aspects of automotive cybersecurity’.” - Prof. Lawrence A. Gordon, Robert H. Smith School of Business

Not that tough for the bad guys when Volkswagen can collect data like gender and age along with driving behavior, when Kia’s privacy policy says they can collect information about a user’s sex life, or when many GM brands have genetic, physiological, behavioral, and biological characteristics being collected as per their privacy statements in some regions. Jen Caltrider, Mozilla rightly captured it in this report—”All new cars today are privacy nightmares on wheels that collect huge amounts of personal information.”

Plus, apps pre-installed or pre-bundled with a car can reveal so much—picking location and biometric data while helping a user park one’s car, for instance. Car makers can use a lot of this data for insurance work, for repossession (including remote-controlled takeover if the user does not pay after a period), for law records and of course, for monetisation. As per a McKinsey’s report 2016, the global revenue pool from car data monetisation was slated to touch $750 billion by 2030. Reckoned again recently for nine top clusters, this opportunity could deliver $250 billion to $400 billion in annual incremental value for players across the ecosystem in 2030. That leaves little room for doubt on why carmakers are replacing all that metal with software.

The worse part—consumers have almost negligible control in all this. No wonder, serious data leaks and breaches are ordinary in the industry. The last few years have shown ample examples of millions of records and data leaked through mistakes made by car-makers – including big names like Honda, Toyota, and Volkswagen.

“No concern was given by the auto makers of how to properly secure that customer data and now they’re scrambling to find ways to secure that, which is also coming into conflict with personal privacy advocates who say that data belongs to the vehicle owner, not the manufacturer and it’s up to the owner to determine who can have access to it.” - Paddy Harrington, Senior Analyst, Security & Risk, Forrester

Imagine this! Almost 56 per cent of the car brands’ own privacy policies state that they can voluntarily share your personal data with law enforcement. And 68 per cent of the car companies earned Mozilla’s ‘bad track record’ ding for failing to protect their users’ privacy with a leak, breach or hack in the past three years – that too, from sources that should have been better protected.

Upstream’s 2023 Global Automotive Cybersecurity report also affirms that the top cyber-attack vectors in 2022 were telematics and application servers (35 per cent), remote keyless entry systems (18 per cent), electronic control units (14 per cent), automotive and smart mobility APIs (12 per cent), infotainment systems (8 per cent), mobile applications (6 per cent), and EV charging infrastructure (4 per cent).

Most attacks (97 per cent) are being conducted remotely, and 70 per cent of remote attacks happen at long range—using network connectivity. Just like Cipher in that movie.

The resulting damage hurts everyone – with car thefts and dangers to the user driving or sitting in the car; to ransomware threats and data-thefts affecting automotive companies.

Skid-Marks Everywhere

So who comes first in this race to grab more data? Not the carmaker or the customer or the driver. But the hacker.

The automotive sector has become very tempting for cyber-attackers. And companies have started to recognise that dent. According to a recent Kaspersky research ‘Automotive Threat Intelligence Report’, 64 per cent of automotive industry leaders believe their supply chain is vulnerable to cyber-attacks, and many businesses seem to be inadequately prepared for a connected automotive era. The integration of infotainment systems and connectivity technology provided by software providers is the biggest supply chain risk faced by the automotive sector, and 34 per cent identified this as a top cybersecurity concern. Conti, LockBit and Hive are the ransomware most found in automotive cyber-attacks.

Paddy Harrington, Senior Analyst, Security & Risk, Forrester opens the hood and gives us a peek into where the wiring has gone all wrong. “The biggest issue is the amount of development that has been done without any thought to securing the onboard systems, the data collected by them, and then transmitted to the various auto manufacturers. There are millions of cars on the road that have numerous vulnerabilities within them, some of which may be able to be remediated through OTA, but only if the vendor chooses to do so.”

Think of the multiple vulnerabilities discovered within the telematic systems or SiriusXM units at the beginning of the year, Harrington cites. “These impacted 16 different vehicle manufacturers with millions upon millions of cars. Do they write the update for all of these? How far back to they write the fixes for? These are cars, they can stay on the road for decades. For other components within the car, they can’t be updated as there’s no way to send newer code to that component. When thinking about vehicles, these aren’t a single ‘IoT device’, this is a network of ‘IoT devices’ all communicating through various channels. Some pieces can be updates, some can’t because there’s no method to update that component. So an attacker with physical access to the vehicle could find a way to exploit a vulnerability on a component and then get their way into other components.”

He loves cars, but he does not turn his eyes away when looking at what he sees on the road – specially on the awareness and responsibility potholes that auto-makers exude. Lawrence A. Gordon, EY Alumni Professor of Managerial Accounting and Information Assurance, Robert H. Smith School of Business and Affiliate Professor in UMD Institute for Advanced Computer Studies notes, “Of course, the technical computer science/engineering aspects of automotive cyber-security are critical issues that need to be addressed. The automakers and regulators are cognizant of these cyber-security issues and are (and have been for about a decade) addressing them. In contrast, I don’t think most auto-buyers (i.e., consumers) are very knowledgeable about cyber-security issues related to the smart devices in modern cars. The above notwithstanding, In my opinion the elephant in the room is the ‘economic aspects of automotive cybersecurity’.”

“The main problem is that many OEMs don’t put enough priority on cyber-security, the second is that many OEMs are not really experts on software – and, if you’re not good at software, then you can’t be good at cyber-security.” - Pedro Pacheco, VP Analyst at Gartner

But is there not an irony for automakers here? When tech-based features become the very vulnerabilities that they want to avoid—like smart keys, sensors, surveillance and fleet management? Wasn’t the new-age car supposed to be fitted with all this software?

It was but not without pre-empting the red flags. Harrington strongly recommends avoiding making security of the code in vehicles an afterthought. “If securing the code and data was a priority from the start, I don’t think we’d be in the mess we’re in now. This applies to the components inside as well as the apps and websites that allow owners to control their vehicles. Looking at a lot of the attacks over the last couple years, they originated from mobile apps or having that Internet access to them.”

There is also an issue that is rarely discussed, Harrington reminds, but has a broader impact for businesses, which is if a vehicle is compromised and ‘takes up residence’ within the infotainment system, an attacker could target mobile devices that are connected to the vehicle. Most businesses aren’t going to be directly impacted by issues with connected vehicles, but the mobile devices used by their employees, especially executives or those in key positions, could be compromised and either have malware delivered to them or data extracted from them.

Being hacked hurts—and everyone, not matter what seat they are in.

The economic aspects of automotive cybersecurity involve several issues, as Prof. Gordon outlines. “First, the cost of initially incorporating a high level of cybersecurity into cars is costly. Thus, the question that immediately comes to mind is who will bear that cost? As I see it, the automakers will initially bear this cost, but ultimately the majority share of this cost will be passed on to the auto-buyers. Second, cyber-attacks on automobiles can be very costly to auto-buyers. To the extent that automakers don’t have to reimburse car owners for their losses resulting from cyber-attacks, these costs are externalities from the automakers’ perspective (i.e., consumers absorb the costs). To the extent that automakers have to reimburse car owners for their losses (e.g., as a result of lawsuits or regulations), these costs will be borne by

the automakers.”

Harrington also unravels dangers lurking in EV charging. “Sandia Labs did a study not too long ago looking at the security of EV charging networks and it wasn’t pretty what they found. If you can compromise a single charging station, you can simply be malicious and steal money through the payment systems, turn off chargers, or change the charging to be a trickle, but you can also be destructive and inject malware into these charging vehicles through the physical connection, could force an overcharge of the vehicle, damaging the battery pack, or overcharge multiple vehicles at once and cause serious havoc.”

There is a Pollyanna around though. They won’t take over your autonomous vehicle any time soon, assures Pedro Pacheco, VP Analyst at Gartner. “It’s important to have a realistic perspective on the topic. Instead, the risks are more on the side of occupant privacy threat, damage to OEMs and suppliers in the form of ransomware and, in some cases, possibility of vehicle theft. Essentially, cyber-attackers do things with a purpose and that purpose is financial the vast majority of times. In some other cases, employees working for OEMs may have the intention to hurt the company or take a non-compliant approach by disrespecting the privacy or vehicle drivers or occupants.

In Pacheco’s reckoning, automakers are well aware of the risks entailed by vehicle technology from a perspective of cybersecurity or privacy. “However, cybersecurity is not yet seen as a top priority as consumers are not able to distinguish nor reward top cybersecurity from a lousy one. Fortunately, regulators have already taken action. The UN R 155 is the world’s first vehicle cybersecurity regulation and has been enforced in over 60 countries last year, including the European Union, Japan, South Korea and Australia. China is also deploying vehicle cybersecurity regulation next year. These milestones force OEMs to raise the bar in cybersecurity now and in the future, as regulators will keep increasing their demands as cyber-attackers evolve in terms of sophistication.”

So would the Toretto’s of the future be left free to laze around and enjoy their cars without worrying about invisible pillion drivers?

The Bend in the Road—The Real

Drifting Challenge

Looking at what happens going forward, Harrignton gazes at a world where cars are more connected and more ‘computerised’—so there are more surface areas that need security solutions applied to them. “V2V comms, municipal infrastructure comms, video/radar systems for autonomous driving, app connectivity into the vehicle as well as from inside going onto the Internet. As I said, this is a rolling network of devices so a breach into one can impact the entire vehicle. The separation between the comfort and infotainment and the CAN bus is not as gapped as people think. So with any weakness within these new components and a breach into the CAN bus, the ramifications of what you could do to that vehicle could be catastrophic. Or simply malicious, not to be entirely gloomy.”

Harrington makes us stare at the monster from a closer view. “Take these robotaxis. There have been multiple incidents with them in various locations, the most ‘darkly comical’ being within San Francisco where the vehicles stopped working, stopping dead in the streets, because the area cell network was overloaded and they couldn’t continue driving without that network connection. Certainly a flaw in the operational design, but why was that missed? Cell signals go out all the time. Now that this has been exposed as a flaw, it can be purposefully exploited.

Outside of the vehicles themselves, you have various infrastructures within municipalities, highways, office buildings, homes, apartments, etc… that can have an impact into these modern vehicles.”

So how ready or cognizant are automakers, regulators and users about concerns on privacy, dark-web data markets, hacking, and safety? We do have Regulations like WP.29 and ISO/SAW 21434 but we can do with more help and more teeth for sure.

Harrington opines that the last couple of years opened some eyes. “Many prominent manufacturers (Tesla, Honda, Nissa, Hyundai) have had numerous incidents come to light so it’s brought problems out of the darkness for some people. Regulators are taking steps, predominantly in Europe, but my challenge with regulations are often treated as a floor, so manufacturers will do just enough to comply with regulations, but not go beyond them. They also only apply to new productions, so the millions of vehicles already on the road aren’t impacted by them. Another issue with regulations is they wait for a manufacturer (this applies to any industry, really) to get caught skirting the regs before anything happens and then, it usually only impacts the first business caught.”

Harrington explains with an example. “If you look at the issue with VM’s coding changes on their diesel vehicles to pass the EPA tests but then revert back in normal operation, the hammers came down heavy on VW, but it was later revealed that many other manufacturers did the same thing and, while some fines were still levied, it was more a slap on the wrist to the others.

What also makes parking automakers in a safe zone is the confusion and hesitation seen in the industry. Kaspersky’s report showed that 29.5 per cent currently do not see value from their cyber intelligence investments and 35 per cent feel that confusing industry terms present the biggest barrier to the broader management team’s ability to develop a holistic understanding of cyber risk and what they should do about it.

Prof. Gordon also argues some significant ‘recall’ costs to the automakers. And how automakers, car sharing companies, and fleet owners are likely to be the target of back-end server cyber-attacks which could be very costly to prevent and/or correct. “To the extent that auto-buyers have to absorb the costs associated with the lack of automotive cybersecurity, we will likely see more regulations on automakers (i.e., in addition to ISO/SAE 21434). But how the different costs discussed above will be divided among the different interest groups is a complicated issue that ultimately comes down to some sort of collective cost-benefit analysis solution.”

Coming up with a comprehensive analysis of the “economic aspects of automotive cyber-security” is no easy task—he reminds.

However, efforts are underway as cognizance

gains speed.

A higher technology content in the vehicle doesn’t necessarily imply a greater cyber-security risk when OEMs know how – and are willing to – design software to be as secure as possible, Pacheco observes while he advises companies to invest in prioritisation of this issue.

The McKinsey’s 2020 consumer survey shows how 39 per cent of consumers were interested in unlocking additional digital features after purchasing a vehicle. The number changed to 47 per cent for customers of premium OEMs.

“A lot of vehicle security vendors are working closer with manufacturers as well as various suppliers to ensure their code and the components themselves are built securely from the group up. During a discussion I had recently with one of these vendors, they’re even looking to use technology like digital twins to maintain a virtual simulation of these components and even ‘completed’ vehicles, so that when new vulnerabilities are discovered in code, they can see what impact this would truly have on operations, plan on how they’re going to address this, and then look at the changes caused by deploying patches and updates.” Harrington explains as he looks at some bright spots ahead.

What’s surprising is that users are leaning in heavily to this new paradigm. The McKinsey’s 2020 consumer survey shows how 39 per cent of consumers were interested in unlocking additional digital features after purchasing a vehicle. The number changed to 47 per cent for customers of premium OEMs.

Juxtapose this to the lack of ability for users to do anything. “This is also coming to the surface more with the overall ‘right to repair’ movement within the digital marketplace. Who owns the car? If I do, I should be able to make whatever changes I want as well as have full access to any data I create with that vehicle. Auto manufacturers are pushing back saying they don’t have proper security controls in place to allow this. “You didn’t think of securing this data beforehand?” Harrington wonders.

But there is more than just some hopeless Jalopy on this road.

A Quarter mile at a time, as Toretto says

A higher technology content in the vehicle doesn’t necessarily imply a greater cybersecurity risk when OEMs know how – and are willing to – design software to be as secure as possible, Pacheco observes while he advises companies to invest in prioritisation of this issue.

Harrington adds to this optimism. “There is certainly some positive movement in trying to do better with security in this area, but there is still a concern that a serious compromise could happen before controls are put in place. It should be noted that much of the recent attention has been put on the automotive aspect of connected vehicles. Other industries of concern could be shipping or railways.”

He stresses that consumers need to ‘wake up’ and realize that the car they’re driving now isn’t the 1970’s VW Beetle. “It is much more computerized and connected and like all computing devices, if a concern isn’t placed on security and privacy, you’re going to get neither. I shake my head every time I get into a rental car and see the amount of paired devices in the infotainment system. Most of these, as is common, sync their contacts to this device because that’s just what you do, so someone with malicious intent could be downloading a good deal of info off these vehicles.”

As long as we remember what Cipher said, we might be able to avoid a big crash. Because she was sure and rightfully so— “One thing I can guarantee... no one’s ready for this.”

Can we prove her wrong?

By Pratima H

pratimah@cybermedia.co.in