For intelligent technological ecosystems—today’s automotive solutions—security means also safety. And while reliable cellular connectivity makes connected cars function and provides increased capabilities, strong cybersecurity architecture makes them safe. What could happen on the road if a hacker could access a car over the Internet to hijack its brakes and transmission?
So, automakers need to focus on these emerging safety vulnerabilities and ensure that their products meet the highest automotive IoT security standards.
Real-World Cybersecurity Issues in Connected Cars
With automotive IoT technologies like radar, vision, V2X, and LiDar enabled by hundreds of sensors, today’s connected cars produce up to 25GB of data every hour, including information about the driver, the vehicle, and the passengers. Although all generated data is pre-processed in the vehicle, data exchange between cars and infrastructure happens via the cloud and can be compromised by hackers.
What Entices Cybercriminals to Hack Connected Cars?
Traditionally, experts classify three significant categories of valuable goods and services that cybercriminals can potentially monetize:
- Data collected, generated, stored, and shared by the cars (including user personally-identifiable information (PII) and non-PII user data)
- Physical access to the cars (the car itself, goods inside it, and driving services)
- Stored energy, network, and processor resources of the cars (battery energy, free internet, network data usage, access to cloud services, V2G networks, access to V2V networks, processor time, and others)
What are Key Threat Areas in a Connected Car?
Earlier, hacks of connected vehicles were regarded as a theoretical danger as most cars relied on custom OEM-produced hardware and software to provide connectivity. Now, many modern manufacturers contract out hardware and software solutions rather than develop them in-house. These systems have become a major target for attack.
It is important to understand the various vulnerable areas a connected car has to be able to take robust security measures.
What types of cyberattacks are already challenging a connected car ecosystem?
Here is a snapshot of real-world examples:
- Denial of Service (DoS) attacks happen when hackers defraud a vehicle’s software, making it unavailable for users.
- Man in the middle (MitM) attacks occur when an entity intercepts all network communications between the cloud and the car. This attack can modify, drop, delay the transfer of, or steal data, causing critical malfunction in the vehicle.
- Hijacking of services occurs when some of the services used by the cloud-based electrical/electronic (E/E) architecture are hijacked by an entity, modifying data.
- Latency issues caused by an attack may result in the car constantly switching between cloud and local processors, which may introduce errors in operations.
- Theft of personal data when hackers steal personally identifiable information (PII) from the vehicle’s systems, such as personal trip and location data, entertainment preferences, and financial information.
- Incorrect data and manipulation of safety-critical systems happens when a car receives incorrect critical real-time data. This can be caused by improper data processing in the cloud-based server or by a MitM attack. This type of attack could stall the car or lead to an accident and potential fatalities.
- Misconfiguration issues could lead to malware infection, data theft, loss of control, hijacking, and others.
Crucial Points for Connected Car Security
So how can the industry fight back, secure their automotive IoT solutions and protect customers? Car manufacturers should find the optimal cybersecurity strategy by considering five main steps:
- Establishing security-by-design approach to build in security from the start rather than patching holes as they arise
- Assessing possible cyberthreats and drafting a risk profile, considering vulnerable areas and components from a customer, company, and regulator perspective
- Making a strategic cybersecurity implementation plan of action and roadmap
- Planning and implementing an end-to-end security approach to prevent third parties from accessing data while it is transferred to the cloud and back
- Identifying the technologies and solution set in order to avoid or quickly respond to attacks
Defensive Technologies to Ensure Connected Car Security
Сar companies should select and implement an adequate set of cybersecurity solutions for both software and hardware of their vehicles. Doing so will help minimize waste in terms of investment, and preserve the security of their products. Let’s zoom in on the vital defensive technologies and software solutions for the automotive industry:
- Vulnerability scanner. These scanners are automated tools that scan endpoints, servers, networks, and applications for security vulnerabilities that attackers can exploit.
- Extended detection and response (EDR). The technique collects and correlates deep activity data across multiple points in the data supply chain—vehicle, network, and backend servers enabling a reliable level of detection and investigation.
- Firewall. These network security systems control incoming and outgoing traffic based on an applied rule set and monitor ingress/egress traffic from unknown and harmful domains. Additionally, they identify applications or endpoints that generate or request bad traffic.
- Application security. Working at the application level, this kind of security prevents data or code within the app from getting stolen or hijacked. Application security suites secure against code vulnerabilities, data exfiltration on the server, and other common vulnerability attacks at the application level.
- Third-party app review. To prevent third-party apps from introducing new attack surfaces in the car, car companies should strictly control the app ecosystem. This means they should review and test the apps to verify that they are reliable, safe, and not malicious.
Standards and Regulations to Adapt
Now, automotive players should adopt uniform cybersecurity standards to protect the connected cars they design and manufacture. These include the United Nations Economic Commission for Europe (UNECE) WP.29 cybersecurity standards, International Standardization Organization ISO 24089—Software Update Engineering standards, or the upcoming ISO 21434 Road Vehicles—Cybersecurity Engineering standards.
In the United States, there is no active legislation or regulations for the security of connected cars. The only regulations on the horizon are in Massachusetts, where a bill has been referred to the State Senate Committee on Ways and Means (as of July 2021). Named the Act relative to the cybersecurity of the internet connected devices and autonomous vehicles, Bill S.2056, it introduces some IoT definitions including connected cars, IoT devices, and personal data protection. The act is supposed to regulate the protection of personal data generated by connected cars in the same way as other IoT data is protected.
The above standards are key because advanced technologies and the increased connectivity of vehicles significantly increase the risk of cyberattacks. Additionally, in a vehicle, the risk of physical injury is added to the risk data loss. Successful cyberattacks could lead to financial and reputational damage as well as significant regulatory fines for manufacturers.
Ultimately, cybersecurity standards and regulations such as WP.29 and ISO/SAE 21434 can benefit automotive industry stakeholders. By embedding a strong culture of cybersecurity, cyber risk quantification, risk management, governance, and technological controls and processes, these standards can help keep vehicles, drivers, and pedestrians safe.
Case Closed
Connected cars are designed to integrate seamlessly into the rest of digital infrastructure. But too often, it is precisely this integration that can be a source of vulnerability. That is why connected car security involves far more than just advanced anti-theft devices. It requires businesses to look at the entire ecosystem in which the vehicle functions and communicates, and which ensures that shared data is protected.
