Any system that connects to a network or the internet becomes susceptible to numerous security threats. With the automotive sector joining other industries that rely on digital technologies, connected cars have been exposed to various risks and attacks. Essentially, connected vehicles are machines on a network whose interfaces generate data that may interest attackers. Due to this, cybersecurity incidents affecting automotive have increased tremendously. Since 2016, adversarial security incidents in the sector have increased by 605%. The sharp rise in security-related incidents is worrying, given that the connected automotive industry is barely developed.
In 2018, black hat attacks overtook research-based attacks (white hacks) for the first time. Security researchers use white hat hacks to identify and mitigate cybersecurity vulnerabilities and are, therefore, necessary to enhance automotive security posture. However, malicious attackers have become more conversant with digital components used to make connected cars causing black hat attacks to increase. One of the contributing factors is the ready availability of cheap hacking tools. For instance, thieves bought a $5 device through the internet, used an electromagnetic pulse to unlock a vehicle, and made away with insurance papers.
Additionally, a former Volkswagen owner found that she could still access the digital components of her car several months after she sold it. Specifically, after selling the vehicle, she continued to receive monthly reports regarding the vehicle's health. Upon logging into Volkswagen's online portal, the former car owner discovered she had full access and could access most of its systems, including its real-time location, lights, locks, and updated mileage. In her own words, she stated that "there was nothing in place to stop me from accessing the full UI," which shows how vulnerable connected automobiles are.
In addition to the above statistics, there have been multiple cases of malicious actors using sophisticated techniques to hack vehicles for various reasons. Here are some of the recent security incidents involving motor vehicles.
Sever attacks account for 21.4% of all attacks targeting connected automotive. In reference to connected cars, the term server implies several scenarios, among them being smart mobility apps or services, breached OEM (Original Equipment Manufacturer) websites, databases used to store driver, customer and code data, and Telematics command and control servers. Additionally, attackers can execute these attacks remotely, meaning they don't require close proximity to the target vehicle.
Server-based attacks are dangerous since they may go on undetected for long periods. For instance, in 2017, security researchers discovered an unprotected Amazon S3 server. After the discovery, the SVR vehicle tracking service reported that at least half a million files could have been accessed publicly for an unknown period. The compromised data included GPS device IMEI numbers, user car information, passwords, and email addresses.
Moreover, hackers often execute server-based attacks by exploiting misconfigurations and vulnerabilities in TSPs (Telematics Service Providers). Such attacks could enable attackers to target a fleet of vehicles. One example of such an attack involved TSP CalAmp GPS tracking devices, enabling cyber adversaries to exploit the Viper SmartStart car tracking app. The CalAmp modem, installed in the target car, and the app, connected to the CalAmp telematics server. Once attackers gained unauthorized access to CalAmp's production databases and the server, they could access controls permitting them to control the hacked car, steal sensitive data, and locate a vehicle remotely.
Historically, car owners could ensure the security of their vehicles by simply ensuring no one else accessed their car keys. However, as modern vehicles emerged, keyless entry quickly became popular. On the other hand, they are the perfect targets for cyber car thieves as remote keyless entry hacks account for 18.8% of all vehicle attacks. The attacks are hugely popular since an individual can steal a high-end vehicle without requiring a key for the doors or ignition and without damaging it.
There are four trends involved with this type of automotive security threat. One technique is where attackers used a key programming device to destabilize the diagnostics connector, enabling them to access and steal expensive vehicles. The method is particularly common in European countries since privacy regulations require that data accessed through the OBD (on-board diagnostics) connector should not be encrypted.
Other trends include keyless jamming, where attackers use the method to block the signal for locking a car's doors so they can access and steal the vehicle afterward. Also, spoofing techniques enable hackers to steal an automotive cryptographic key. Lastly, relay hack is a common technique for attacking keyless entry cars. For the method to work, hackers use a relay box to detect and pick a key fob's signal from the owner and then transmit and use it to access and steal a car.
Consumer privacy is a primary concern as far as connected vehicles are concerned. Connected vehicles generate vast amounts of data, such as speed and geographic location, which can be intercepted via in-vehicle networks. The more the automotive industry embraces connected cars, the more the data generated, and the more it will attract cybercriminals.
Although selling vehicle-related information is not as common and in demand as healthcare or financial information, the commercial possibilities will see the area explode in the near future once fully autonomous vehicles become a reality.
Car companies and cybercriminals would be interested in the data since the former would require it for advertising and insurance, whereas the latter would sell it to the highest bidders. Either way, compromised user privacy would pose significant problems for the consumer because of identity theft, blackmail, and extortion.