The Growing Attack Surface in Connected Cars

As innovation in the auto industry speeds up, new technology is paving the way for an expanded attack surface, which is a growing concern. Beyond the connected features in infotainment systems, trends in connected cars are shifting into overdrive. What does that mean for attackers?

Unfortunately, it’s a question everyone has to ask as cars become less the mechanical machines they once were and more akin to self-driving computers. A recently released report from Trend Micro estimated that, “by 2030, the number of connected cars will reach 700 million, while the number of autonomous vehicles will reach 90 million.” With each new advancement toward that goal, a new attack surface is introduced.

In May of 2020, Automotive Management Online reported that attacks on connected cars rose a staggering 99%. Where telematics was once the main attack surface of concern in connected cars, a study conducted by Uswitch outlined four main ways that an attacker could compromise a connected car, “ranging from weaknesses in apps and theft of personal data to keyless car theft and even taking control of a vehicle remotely.”

As with any critical technology, the supply chain is a top concern. Vehicles are becoming more software-dependent, in order to support new consumer-friendly features, which is vastly expanding the amount of code they run and the suppliers who provide it. The more code there is, the higher the risk of security vulnerabilities that can be exploited. Recent reports by McKinsey & Company and Deloitte show the full scope of these pending changes in the vehicle software/firmware market, and the rapid growth that is predicted.

Malware activity detected in a leading automotive software supplier (Source: APEX).

While software bugs can be fixed and eventually the patches will be pushed out via over-the-air updates, this process is never perfect and it takes time to roll out. In the interim, cars will remain vulnerable to active exploitation.

New Rules of the Road

In addition to artificial intelligence, 5G and cloud services, V2X (or vehicle-to-everything) is a key technology for connected cars, yet it is not without its risks.

As with any communications system, V2X provides a potential point of attack. This is particularly true since it is designed to interact with a variety of outside sources.

In 2019 ZDNet explained V2X as a system with several components, enabling communication with other vehicles, infrastructure, networks–even pedestrians. In theory, cars can talk to other cars in order to avoid collisions. Similarly, they’d be able to communicate with infrastructure–think traffic lights or parking spaces, even the cellular networks of the phones pedestrians are using.

If a hacker is able to compromise or spoof one of these trusted devices, s/he could use this to launch an attack on the car’s V2X platform. As a recently published study in Vehicular Communications noted, V2X communications are susceptible to “eavesdropping, spoofing, man-in-the-middle, and sybil attacks.”

Slow Down in Construction Zones

All of these technologies can lead to new threats, still the recent deal with Ford-Google and Apple’s iCar plans don’t suggest any slowing of development to ensure security is done right prior to getting products to market. That’s typically how security works, but when it comes to vehicles there is a lot more at stake than personally identifiable information.

The increasing convergence between Silicon Valley and Detroit are fast-tracking innovation; however, as vehicles become more technologically complex, they will rely on a larger range of software and firmware that will be provided by third-parties. Here would be a good place for a civil engineer to recommend a “YIELD” sign in order to slow risk down as technology enters the roundabout. Clearly, there are potential vulnerabilities in the software and firmware used in today’s cars. While the lack of uniformity in the language of these communication systems is one, the supply chain should be of greater concern.

Ford recognized the need to, “accelerate modernization of product development, manufacturing and supply chain management,” but what does that look like in practice? How can auto manufacturers and their technology partners truly manage threats in their supply chain?

They need visibility into the full downline of their software and firmware vendors, partners and suppliers. Supply chain security is more than a risk assessment or a penetration test. Prevailion’s threat intelligence platform provides visibility not only into your own systems but into those of your fourth or fifth or tenth party networks as well.

The Latest

Prevailion CEO, Karim Hijazi, discusses China hacking Microsoft Exchange

Hijazi discusses Microsoft hack parallels with SolarWinds and how China and Russia likely execute their cyber campaigns.

Prevailion CEO, Karim Hijazi, discusses China’s attack on Microsoft

See Prevailion CEO, Karim Hijazi, comment on how nation states use proxy groups to compromise organizations through weaker supply chain points.

Prevailion CEO, Karim Hijazi, discusses second Solar Wind hack

See Prevailion CEO, Karim Hijazi, weigh in on a second solar winds hack and how elite hacker groups have likely already compromised many top companies around

Copyright 2021 Prevailion, Inc. All rights reserved.    

Disclaimer: Gartner “Cool Vendors in Security Operations and Threat Intelligence,” Mitchell Schneider, Ruggero Contu, John Watts, Craig Lawson, October 13, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner Disclaimer: The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.