Automotive sector

Automotive Cyber ​​Attack Vectors – Part 2: Data Attacks –

In Part 1 of our review of cyberattack vectors in the automotive sector, we looked at the levels of damage and threat that bad actors could exert against anyone using a modern GPS-guided vehicle by blocking or spoofing reception. from the vehicle accurate satellite signals.

Fortunately, this is a maturing threat, which means mitigation strategies and technologies have been in development for some time. And as vehicles and the environment in which they move – both roads and roadside infrastructure – become more “intelligent”, the exchange of data between different vehicles, and between vehicles and the infrastructure, jamming or impersonating an individual vehicle for nefarious purposes is only set to become more difficult. As such it is a rapidly diminishing threat and, with the addition of more technology into our vehicles and roads, someday in this century will become too difficult to justify the effort, time and expense. .

But with some undeniable irony, the move towards greater connectivity and car-to-car and car-to-infrastructure data exchange, while closing one avenue for cyberattacks, is opening up an ever-widening one. The notion of cars as the subject of a data-driven cyberattack would have been unthinkable ten years ago. But we are entering an era where a car will by no means be “just” a car. An age where a car is more like a hard drive and a digital wallet on wheels. And where there’s data, or where there’s money, the law of the infamous arms race will kick in, to make every vehicle on a highway a potential target for the equivalent of the next generation of an email hack.

Connected Cars – Hard Drives on Wheels

The question of age will be what are called “connected cars”. This is a car (or other road vehicle) that sends and receives data while on the move. While at present the United States is behind some other countries in percentage of their new vehicles

The scale of the terrain for cyberattack

It is important not to underestimate the magnitude of this potential cyberattack problem. While in 2021 only 32% of all American cars were “connected” — sending and receiving data on a regular, if not near constant, basis — by 2025 that figure is expected to rise to 50%. And by 2035, the percentage of new US vehicles that will be connected is expected to reach 95%. This is an incredibly rapid expansion of the cyber attack playing field, from just under a third of all new vehicles to almost all new vehicles with potential data vulnerabilities in less than a decade. and a half.

And you might be wondering how much of a threat a moving car can pose to data. Each car connected in 2022 can produce up to 25 GB of data. Every hour. Admittedly, all of this won’t be valuable to would-be car hackers, but the data includes driver, car, and passenger information.

For comparison and scale purposes, a standard Boeing 787 includes approximately 6.5 million lines of code in its operational programming. A standard connected car in 2019 had around 100 million lines. If you like numbers, that’s more lines of code than the 787 and the Large Hadron Collider at CERN. In one vehicle. Multiply that by 95% of the 332 million vehicles expected in America by 2035, and you can forget. The matrix. America’s highways will be an ocean of code and data, bouncing like a whale’s song from vehicle to vehicle and from vehicle to road infrastructure.

Points to note about this are 1) the size and types of data targets – both lines of code and transmitted data, 2) the relatively unenhanced data security that is currently standard on vehicles (not enhanced to keep costs down, and also potentially to minimize consumer panic), and 3) obscure liability for any code or data hacks.

Currently, the responsibility for ensuring that such hacks fail is shared between individual vehicle component manufacturers, the vehicle manufacturer as a whole, and, increasingly, the seller of the vehicle. Wherever there’s a murky accountability web, relatively weak security, and a vast ocean of potential data targets, you have virtually perfect conditions for hackers to play.

Types of Cyber ​​Attacks

Similar to jamming and spoofing in signal cyberattack, data cyberattack comes in two forms. For convenience, we can consider them as code attacks and data attacks.

Lock the doors

Code attacks are part of spy thrillers or sci-fi plots, with the awkward complication that they are real and possible, here in 2022.

If you imagine driving down a highway when suddenly all the doors lock, the windows roll up, the steering doesn’t respond to your actions, or the car comes to a sudden stop (forcing the driver behind you to run over) – that’s is code attacks. The code (as cumbersome as it is) in a connected car is what links the action of pressing a button or touching a screen to the reaction of one or more systems in the car, changing their state.

The “benefit” of these attacks is that they tend to exploit vulnerabilities specific to vehicle brands and models. Hackers couldn’t use a Chevy hack on a Volkswagen’s code – probably. But hackers love a challenge, it’s what gets them out of bed in the early afternoon, and it’s likely that any particularly popular model that’s released will be hackable by code pretty soon after – otherwise, in some cases before. An added bonus is that as soon as hacks become known, manufacturers can start working on patches that can be downloaded to make the vehicle resistant to the particular hack that was used.

100 million lines of code per vehicle. Countless functions controlled by code. By 2035 there will be plenty of patches – always assuming that code hackers don’t follow the path of supply chain hackers and start hacking patches waiting to be downloaded, so the apparent solution is actually riddled with additional hacks.

It’s a fascinating cybersecurity arms race in terms of the tech industry and the inevitability of connected cars. It’s just not that reassuring when you’re driving your family to Disney World.

The point about code attacks however is that they are more interesting from a technology research point of view than from a hacker’s point of view. Yes, technically, with the right code hacks, you can lock windows and doors, immobilize the steering, hit the gas, and drive a happy family of Disney fans off the road and into a ravine.

But why would you? Where’s the money in it? Ideological terrorism may have a use for this type of code hacking, but frankly, once you’ve flown planes into buildings, going one car at a time is far too laborious to be worth it.

Drive and deliver

The much more likely hacking epidemic that connected cars could bring is quieter data hacking. Consider him the quietest highwayman the world has ever met.

Connected cars use apps to provide their functionality. Apps – as you know if you’ve ever owned a smartphone – store far more data than you ever imagined necessary for them to perform their functions.

But in a world where connected cars and infrastructure are the norm, more and more data will be stored in the vehicle’s internal network and, importantly, more and more separate devices like your smartphone can be connected wirelessly to car systems. Data about your location, bill payer address and card details in terms of entertainment purchases etc. could well be accessed by the data thief in car.

And if you connect your mobile phone, for example, to the car’s speaker system, you have a Wi-Fi extension between the car and all the data you carry around in your back pocket. Contacts, photos, passwords, etc. Most car data exchanges would never involve such details – but for a thirsty data thief, these connections are gold.

Changing the way we see vehicles

The irony of all this, of course, is that most people are at least apparently very data-protective. At home, they will install the most impressive data security they can afford on their computer system. But the nature of the connected car is that it’s very data-rich, mobile, and also – it’s your car. Nobody had to see their car as a data risk before, and the attitude hasn’t changed yet, so there isn’t a huge demand for stronger data security in vehicles yet. The connected car changes the very nature of what a car is is and mitigating data theft from connected cars has yet to mature.

This maturation will come and the tech industry is expected to take full advantage of the developing market for robust connected car data security with end-to-end encryption. Although automakers are taking the issue seriously, such high security is likely to remain a paid add-on for the foreseeable future.

But for the whole world to wake up to the need for mature connected car data security, it will take a good number of car data theft cases on the road to 2035.