Where the theft of a car once required access to an individual vehicle, cyber criminals can now take control remotely from anywhere on the globe. What was once an exciting scene in a Hollywood film is now very close to reality.
According to an FBI bulletin, vehicle hacks “have resulted in ransomware infections, data breaches leading to the exfiltration of personally identifiable information, and unauthorized access to enterprise networks,” They continue to warn, “the automotive industry likely will face a wide range of cyber threats and malicious activity in the near future as the vast amount of data collected by Internet-connected vehicles and autonomous vehicles become a highly valued target for nation-state and financially motivated actors.”
Hackers and cyberthieves are constantly devising new techniques to steal personal and financial data, install ransomware and even take control of vehicles on the road. Any system in a vehicle connecting to the Internet, fleet management software, or an EV charging network is a potential entry point.
Upon gaining that foothold, a malicious exploit will look for ways to locate and attack its target. The exploit will attempt to jump laterally either to alter the code or memory of an ECU, by corrupting the operation of an ECU via illegitimate messages over one of the buses, or by finding a store of valuable data and uploading it to a command and control center via the vehicle’s internet or mobile connection.
As the flagship for connected vehicles, the most publicized vehicle hacking has targeted Tesla with the first remote hack in 2016 by the Chinese Keen Security Lab compromising the CAN bus. This was followed by the widely publicized hack at Pwn2Own 2019 by Amat Cama and Richard Zhu through the Tesla 3’s infotainment system and then in 2020 the Bluetooth key fob hack on the Model X by Lennert Wouters, a security researcher at Belgian university KU Leuven.
Although they are often targeted, Tesla are not the only vehicles facing constant hacking attacks. In fact, all the top 2020 cars have Internet connections to safety critical systems creating vulnerabilities to fleet wide hacks. The number of reported successful vehicle hacks almost doubles every year and the vast majority of these hacks occur remotely. It is chilling to consider the potential personal and national consequences of losing control of cars, buses and trucks on city roads and highways.
As the flagship for connected vehicles, the most publicized vehicle hacking has targeted Tesla with the first remote hack in 2016 by the Chinese Keen Security Lab compromising the CAN bus. This was followed by the widely publicized hack at Pwn2Own 2019 by Amat Cama and Richard Zhu through the Tesla 3’s infotainment system and then in 2020 the Bluetooth key fob hack on the Model X by Lennert Wouters, a security researcher at Belgian university KU Leuven.
Although they are often targeted, Tesla are not the only vehicles facing constant hacking attacks. In fact, all the top 2020 cars have Internet connections to safety critical systems creating vulnerabilities to fleet wide hacks. The number of reported successful vehicle hacks almost doubles every year and the vast majority of these hacks occur remotely. It is chilling to consider the potential personal and national consequences of losing control of cars, buses and trucks on city roads and highways.
Connected vehicles may be subject to all the cyber types of attacks that IT networks and endpoints suffer, now and going forward. Since connected vehicles store valuable driver and consumer data, we can expect these nuggets of personally identifying information to be prized targets.
To guard against such attacks, security teams must deploy Intrusion Prevention and Detection Systems and Vehicle Security Operation Centers (VSOCs) staffed 24/7 with security analysts from Tier 1 to Tier 4 for vehicle hacking protection. VSOCs keep vehicles and their operational databases secure just like SOCs keep organizational networks secure. VSOCs collect and monitor data from vehicle fleets raising alarms when there is a detected threat and forecasting the probability of failure for each vehicle component.
The industry will cooperate on timely threat intelligence to keep all OEMs and suppliers up to date concerning threats, their identification and appropriate response. We can expect a concentration of organized syndicates to target vehicles specifically because the cyber-stakes are so high.
The attack vector of choice will have vehicle ransomware as its ultimate goal, the ability to force drivers, owners, fleet operators, manufacturers and others to pay a ransom to continue to use their automobiles. Over 50% of enterprises were hit by IT-related ransomware last year costing businesses 20 billion dollars.
We can expect such numbers to carry over to the 380 million connected vehicles on the road today. While the current rate of ransomware payout in the IT world is $500 per endpoint per incident, the figures will be much higher for cars and still higher for trucks. Large fleets will be hit up for millions of dollars (preferably paid in cryptocurrency) to get their cars and trucks back into operation. Elon Musk, founder and CEO of Tesla has stated, “I think one of the biggest risks for autonomous vehicles is somebody achieving a fleet-wide hack.” It is not just the newer connected systems which are vulnerable to interference either, as even the standard and long-time serving components can be a target for attack as proven with CAN bus hacking demonstrations.
Because the stakes are so high, ransomware attacks on cars and other vehicles attract the elite among hackers. In fact, we will see nation-state actors get involved in this “lucrative” practice making the job of defense tougher than ever and enforcement of international laws and regulations extremely difficult. Nobody blames Dell or Asus for a ransomware attack that strikes their laptops in a given enterprise. However, in the case of vehicles, the damage to the reputation of a car manufacturer could be astronomical as consumers shun their products for more cyber-secure models. Therefore, we must be wary of players at all levels in the automotive supply chain trying to gain a competitive advantage by delivering a payload of ransomware or other type of attack against a rival’s products.
Cybersecurity regulations are in development today as the International Standards Organisation (ISO) and the Society of Automotive Engineers (SAE) are creating ISO/SAE 21434, the worldwide standard for automotive cybersecurity. At the same time, the United Nations Economic Commission for Europe’s (UNECE) Sustainable Transport Division’s World Forum for Harmonization of Vehicle Regulations (WP.29) has developed a regulatory framework to make vehicle technological innovations safer and more environmentally friendly.
However, even with added focus from legislative bodies, there is no way that they will be able to catch up to black hat hackers who act independently with no oversight or legislative processes. The solution must come from secure by design architecture that can defend against vehicle hacking attacks.
Security effects safety. If a vehicle is not secure, then it is a safety hazard for its passengers and everyone in its environment. But it doesn’t end just there. We need to keep in mind that virtually all vehicles today are connected and commercial fleets are essential for driving the global economy. Automotive cybersecurity will likely become a matter of national security. Just like in the past seatbelts, rear view mirrors and baby car seats were optional, cybersecure protection from vehicle hacking will become essential national legislation.
To design a secure computer system, two core methodologies must be employed from the initial design stage:
While there are no set rules for every component in the vehicle, one goal must guide all systems and configurations – a breach cannot endanger the safety of a vehicle’s passengers or those in its vicinity
To combat this treacherous, insidious threat, GuardKnox’s Communication Lockdown™ technology delivers a threat-agnostic, deterministic solution that does not rely on heuristics and machine learning, but thwarts safety-related attacks in real time.
The hacking of vehicles began in 2002 with fuel injectors as the target. By 2005, wireless communication hacks were used to intercept in-car signals. 2010 saw the first “bricking” of cars (making them undrivable). The big “breakthrough” that set the industry on edge came in 2015 with the first remote commandeering of a moving vehicle.
Today, over 80% of hacks are remote and are most commonly fall into one of these categories:
Ingenious methods to hack into connected cars are being devised every day and the Cybertech Tier is here to provide the necessary automotive cybersecurity with secure by design architecture.
Here is a review of some of the most notable vehicle hacks through the years: