A Perilous Drive
Automotive cybersecurity emerges to beat key concern as cars become ‘computers on wheels’
In India 4,118 vehicles were stolen last year with cheap electronic devices that enabled thieves to bypass the engine control module, unlock the vehicle, start the engine, and access the vehicles’ computer. Hackers found 19 vulnerabilities in a Mercedes-Benz E-Class car allowing them to control the vehicle remotely, including opening its door and starting the engine. A hacker was able to gain control over Tesla’s entire connected vehicle fleet by exploiting a vulnerability in the OEM’s server-side mechanism. In April last year, two researchers hacked into a Ford Focus using an OBD-II connector and laptop, allowing them to control the brakes, change the car’s speed, access the infotainment system, and more.
As cars become ‘computers on wheels’ and increasing number of autonomous vehicles around the corner, the number of electronic components in vehicles is going up. By 2025, connected vehicles will comprise nearly 86% of the global automotive market. Analysts forecast that by 2023, worldwide sales of connected cars will exceed 76 million units, meaning that nearly 70% of worldwide new light-duty vehicles and trucks will be shipped with embedded connectivity, bringing new services and business models to bear in automotive markets. Autonomous vehicles (AVs) aren’t part of a distant future – they’re already here and the market is growing quickly; the global AV market is expected to reach $556 billion by 2026.
The communication between car components, and other vehicles, as well as traffic management infrastructure will continue increasing, along with the quantity of data between the users of the vehicle and the outside world. The flipside of all this connectivity is the rising vulnerability of connected vehicles from cyber-attacks.
With autonomous vehicles and connected cars around the corner and the transformation of transportation, one of the biggest that the automotive industry would face is vehicle cyber-attacks. The various electrical components in a vehicle are connected by means of an internal network and if hackers gain access to a peripheral electronic control unit, they could take complete control of safety critical components such as engines or brakes.
Further, there could also be concerning issues regarding the security of intelligent security systems that communicate with the automobiles. Thus, with the growing popularity of connected vehicles, the automakers are working in collaboration with internet service providers and software companies to offer cyber security systems to the users.
An alarmed FBI of the US said; “the automotive industry likely will face a wide range of cyber threats and malicious activity in the near future as the vast amount of data collected by Internet-connected vehicles and autonomous vehicles become a highly valued target for nation-states and financially-motivated actors.”
The FBI issued multiple warnings regarding the rise in cyber-attacks, stating that their Cyber Division received as many as 4,000 complaints a day. Interpol also reported an “alarming rate of cyber-attacks” targeting all types of businesses. This included ransomware attacks such as the attack on a trucking company in Massachusetts, USA in April last year, where hackers used the malware Maze to lock the carrier’s system for over a week and made more than 781 megabytes of the company’s data public online. A few months later, in August 2020, a Volkswagen dealership in Germany was the victim of a ransomware attack resulting in a major data leak that included invoices.
Most automotive cyber-attacks can be divided into two main categories: remote or physical attacks. Physical attacks require the hacker to physically connect to the vehicle in order to hack it, while remote attacks can be short-range from a few steps away from the vehicle, or long-range from anywhere in the world. Remote attacks have consistently outnumbered physical attacks since 2010, accounting for 79.6% of all attacks between 2010 and 2020. These attacks usually rely on network connectivity (such as radio transmissions, Wi-Fi, Bluetooth, 3/4/5G networks, and more), and include wide-scale attacks that could potentially threaten multiple vehicles on the road simultaneously.
Automotive cybersecurity has been recognized as vital by players within the automotive ecosystem such as OEMs as well as by outside regulatory bodies. As such, it is no surprise that a massive growth is predicted in the automotive cybersecurity market, with McKinsey predicting a rise from $4.9 billion in 2020 to $9.7 billion by 2030. This is also opening up interesting career opportunities for cyber-security professionals as automotive cyber-security becomes a niche skill.
Opportunities for cyber-security professionals have also opened up to play the role of White-hat hackers who are engaged by automotive companies to discovering new vulnerabilities, either independently, or as part of a bug bounty, where they are able to participate in responsible disclosure of vulnerabilities in vehicles and connected services.
Over the years, the list of players running bug bounty programs has increased. In 2020, OEMs, such as Tesla, GM, Ford, FCA, Daimler, and more all hosted bug bounty programs on platforms like BugCrowd, HackerOne, or their own websites. Tier-1 suppliers, dealerships, delivery fleets, fleet management companies, smart-mobility services, ride-hailing, and car-sharing services also host bug bounty programs. Since it began, Uber’s bug-bounty program has had more than 1,500 reported software vulnerabilities, with a 13% growth between 2019 and 2020.
Pay-outs reached a new record in January 2020 when Tesla offered $1 million and a car as a bug bounty reward31. In 2020, 54.6% of incidents were attacks by black-hat hackers 14 While white-hat hackers may not have malicious intent, the vulnerabilities they discover are no less disturbing. In April 2020, two researchers hacked into a Ford Focus using an OBD-II connector and laptop, allowing them to control the brakes, change the car’s speed, access the infotainment system, and more.
