Hidden Security Risks Emerging for Connected Cars and the Automotive Data Ecosystem
Cameras in the cockpits of connected cars are designed to help facilitate car features that enhance drivers’ alertness on the road. While the intent is good, security measures to safeguard the privacy of users’ sensitive footage are largely not established, leaving private data accessible to unintended recipients.
Such imaging applications comprise just one example of the ways that the automotive industry is being redefined by data in both beneficial and nonbeneficial ways through its ongoing digital transformation. A sprawling automotive data ecosystem is taking shape in the age of software-defined vehicles (SDVs). Unfortunately, the automotive cyberthreat landscape is rapidly evolving and expanding, as well.
In the increased integration of connectivity, automation, artificial intelligence (AI) and advanced driver assistance systems (ADAS), vehicles have grown significantly more complex and vulnerable to cyberthreats. Not surprisingly, then, cyberattacks on the automotive industry are on the rise, with exploitation of the global supply chain emerging as an especially prevalent trend to be addressed. Data is becoming a prime target of cyberattacks in the industry, as even exposure of data that is of seemingly limited privacy concern can be problematic because different data points can be correlated to extrapolate sensitive insights into automobile and driver safety.
And, yet, vehicle data remains an overlooked facet of automotive security. It is easy to see the different ways that vehicle data is in danger of being more frequently compromised in the years ahead, especially if the cybercriminal underground engages and the automotive regulatory landscape remains so patchy and fragmented. What are the gaps in connected-car cybersecurity that are showing themselves as emerging risks, and what steps can automakers and their layers of suppliers and partners take today to protect their customers, automobiles, operations and brands?
More Sources of More Valuable Data Than Ever
The automotive data ecosystem is a broad and complex network of diverse data flows. It extends far beyond the sensors and devices across vehicles to interconnect original equipment manufacturers (OEMs), Tier 1 and 2 suppliers, data brokers, data consumers, third-party service providers and developers of emergent applications and products.
In context of this vast ecosystem, it is clear that vehicles have evolved into sophisticated data hubs—vehicles are far more than just generators of data; they also are large-scale consumers and transmitters of it. Categories of information flows across the network of interconnected entities include global positioning system (GPS) location, engine, fuel, battery, driver behavior, diagnostic trouble codes (DTCs) and tire pressure monitoring (TPM).
When the different categories can be combined to discover new insights, data dramatically escalates in value. Combining data fields to extrapolate new data can illuminate interesting factors such as fuel efficiency, vehicle performance, safety, maintenance, driver performance, local weather, environmental impact and road-surface status. The quality and validity of the insights are growing as innovation in and around the automotive industry is boosting the quality, frequency and relevance of the data points that are being integrated.
Even whole other industries can derive value from automotive data and potentially develop new business models. For example, it is foreseeable that the automotive industry could emerge as a rich source of data-driven products and services that are useful in banking and logistics. Vehicle data is accessible via multiple points like application programming interfaces (APIs) and apps, and it can be expected to grow into a major revenue stream for the automotive industry.
At the same time, vehicle data is unlikely to ever be fully anonymized because its value would dramatically decrease. With fully anonymized data, profiling becomes difficult, and, without meaningful profiling (by individual or group), monetization becomes challenging. So, while the advancement of data monetization in the automotive industry can drive significant revenue growth, it also is likely to motivate new levels of cybercriminal activity around non-anonymized data. As a result, it seems that the first truly coordinated, large-scale cyberattacks against connected vehicles will almost certainly target data.
‘An Unprecedented Surge’ in Losses from Cyberattacks
Information from automotive OEMs, suppliers and dealers globally reveals that exploitation of automotive data already is growing into an increasingly urgent problem. Cyberattacks such as ransomware and exposure of leaked data or personally identifiable information (PII) are resulting in increased losses across the global automotive industry.
Issues on chipsets or systems-on-chip (SoCs), as well as in third-party management applications and in-vehicle infotainment (IVI) systems, were revealed in VicOne Automotive Cyberthreat Landscape Report 2023 as top sources of the industry’s vulnerabilities. The most frequent common weakness enumeration (CWE) vulnerabilities were out-of-bounds write (OOBW), out-of-bounds read (OOBR), buffer overflow, use after free and improper input validation, with logistics providers, service providers, producers of components and accessories and other third-party suppliers emerging as a growing focus of attacks.
“In our analysis of the threat landscape, we noticed that the losses from cyberattacks in the first half of the year exceeded US$11 billion, marking an unprecedented surge compared to the last two years,” reads the 2023 VicOne report. “A closer examination reveals that these cyberattacks predominantly targeted automotive suppliers, indicating a rising trend. Alarmingly, over 90% of these attacks were not aimed at OEMs themselves but rather at other entities in the supply chain. Attackers often find it difficult to penetrate well-protected companies, so they target less vigilant firms instead. But OEMs are affected all the same, because of the supply chain disruptions. Consequently, defending systems against cyberattacks is no longer just about securing an individual firm; it is about strengthening the entire supply chain.”
APIs Expanding the Automotive Attack Surface
Security incidents related to applications and APIs are on a specifically precipitous rise. From the second half of 2022 to the first half of 2023, they accounted for 12 percent of automotive cyberattacks and security incidents.
APIs have grown both indispensable and ubiquitous in today’s automotive data ecosystem. They are widely deployed to connect a vehicle’s various internal systems, such as for remote vehicle activation and third-party services for emergency assistance and energy management. To facilitate rapid SDV updates, service clouds among OEMs and their suppliers also rely heavily on APIs. They are pervasive; cloud-based APIs, cloud-to-vehicle APIs, mobile-to-vehicle APIs, mobile-to-cloud-to-vehicle APIs and in-vehicle APIs all play pivotal roles in today’s automotive industry, delivering seamless connectivity and efficient operations.
It is no surprise, then, that cyberattacks on APIs, in turn, also have grown increasingly complex and persistent, evolving from threats against individual components to comprehensive schemes targeting the entire automotive ecosystem. Account credentials can be obtained through phishing or other means and then compromised and exploited to execute remote attacks on vehicles anywhere around the world, for example. Unfortunately, despite their high financial value and their associated privacy risks, such account credentials are normally managed as general assets. This can potentially leave whole vehicle fleets exposed to threats, without measures ever having been put into place to appropriately safeguard them.
Ongoing Innovation Introduces New Security Risks
Vehicles, of course, will be growing only more connected and reliant on APIs and diverse sources of data and software in the years ahead, and this trend figures to boost their susceptibility to cyberthreats and data breaches along the way with ongoing technological innovation:
- ADAS for enhancing vehicle safety through automated braking, lane-keeping assistance, adaptive cruise control and other features stand to be prime targets for cyberattacks because of their heavy reliance on software and sensors that could potentially be compromised.
- Self-driving vehicles portend a safer, more efficient future for transportation, but the complexity of autonomous driving systems (ADS) render them vulnerable to software glitches and hacking.
- Smart cockpits powered by AI promise to personalize the driving experience by controlling vehicle settings based on driver behavior and preferences. But the most powerful capabilities—driven by generative AI, large language models (LLMs) and other leading-edge methods for machine learning—introduce significant strategic, operational and financial security risks for the automotive industry. AI risk, in fact, is quickly emerging as a fundamentally new threat vector in the automotive space.
- More frequent updates of software over-the-air (SOTA) technology delivered through SDV APIs expand the potential attack surface for automobiles. Whereas OTA updates previously occurred quarterly, their frequency is expected to increase from four to potentially 12 to 14 times annually. Breaching OTA servers and injecting malicious software could enable attacks to masquerade malicious software as legitimate SOTA update requests and be distributed to vehicles via unauthorized APIs. In this light, the attackers’ chances of success grow right along with increases to the frequency of SOTA updates to SDVs.
- Enhanced navigation, performance upgrades and other features can be offered on a subscription basis in the industry’s SDV era. Such a business model is dependent on continuous data exchange between an OEM and its vehicles, intensifying the need for secure data transmission protocols and more transparent data collection.
- Similarly, the business model for usage-based insurance (UBI) relies on frequent monitoring through vehicle software for tailoring insurance rates based on driving behavior. Again, this casts a bright light on concerns about data privacy and security, if unauthorized access and misuse of sensitive data are to be averted.
A Cybercriminal Underground Lies Mostly Dormant—For Now
A look at underground cybercriminal activity offers glimpses into the threats that the global automotive industry might soon be confronting.
So far, the closest things to cyberattacks involving connected vehicles that are being discussed in underground forums appear to be versions of car modification, or “car modding,” in which vehicle features are unlocked and/or mileage is manipulated. But cybercriminals likely have not yet recognized an observable market demand for more complex and damaging attacks, so this period of mostly dormancy in the underground almost certainly will not last. It is just too easy to imagine some of the various ways that vehicle data could be exploited in the years ahead:
- Vehicle tracking—Real-time location data could be used to track andtarget vehicles. By deciphering vehicles’ regular routes, cybercriminals could effectively turn them (and the vehicles’ unknowing operators) into “Trojan horses” for carrying and distributing contraband. Or particular individuals and their assets could be targeted for criminal activity.
- Data tampering—Fake safety alerts could be created or performance data could be altered in order to seize control of a vehicle to potentially falsify diagnosis of mechanical issues or reset driver settings to make operation of the vehicle more dangerous.
- Ransoming of data—Locking or encrypting vehicle data that is stored in the cloud by OEMs, their suppliers, data brokers, etc. could enable cybercriminals to demand ransoms for its recovery.
- Social engineering—Individuals could be conned into disclosing confidential information about their vehicles or themselves in social engineering attacks enabled by stolen data.
- Infrastructure disruption—Cyberattacks could be devised to disrupt essential services by targeting ambulances, commercial vehicles or other critical infrastructure vehicles.
- Espionage—A company’s operations, strategies and competitive advantage could be revealed in part by analysis of automobile data in an industrial or commercial espionage attack.
- Insurance fraud—Insurance rates could be manipulated by altering data on driver habits such as acceleration, braking and speed.
Gaps in the Cybersecurity Regulatory Framework, Too
The true depth, complexity and value of the automotive data ecosystem apparently also is not yet well understood by the world’s regulatory community, though there have been some key advances in specifications and standards for automotive cybersecurity in recent years.
United Nations Regulation No. 155 (UN R155) became mandatory for automotive manufacturers in 2022, rendering increasingly urgent the adoption of various standards from the International Organization for Standardization (or “ISO”) and other agencies. ISO 26262, ISO/SAE 21434, Trusted Information Security Assessment Exchange (TISAX), and Automotive Software Process Improvement and Capability Determination (ASPICE) merit particular attention from OEMs and their suppliers.
ISO 26262 and ISO/SAE 21434 are especially challenging to address. Functional safety is the primary focus in ISO 26262, and this is an area that OEMs typically must prioritize in order to achieve various market certifications. ISO/SAE 21434, on the other hand, focuses on information security, which is a critical aspect that OEMs too often overlook.
The vehicle regulations have in 2024 become mandatory for newly manufactured vehicles, per UN R155. But the truth is that the robust and comprehensive regulatory framework that will be required for proper handling of all of the data flows inside and outside of today’s and tomorrow’s vehicles has not yet taken shape. Key regulatory gaps for vehicle data collection and usage must be addressed for the sake of clarity and stability in the automotive data ecosystem.
It’s Time to Get Serious About Cybersecurity
The global industry has a heritage of prioritizing vehicle and driver safety, but, historically, data security measures often have been implemented only as mandated by regulatory requirements. New thinking is required. The lack of comprehensive data security measures has turned into an emerging vehicle- and human-safety issue in our connected-car reality. Stakeholders across the growing data ecosystem are being left highly vulnerable to cyber threats, and all players must go beyond mere regulatory compliance to recognize and respect the importance of the emerging hidden cybersecurity risks and act prudently.
The shift toward a data-centric ecosystem brings tremendous opportunity to the global automotive industry, but it also is introducing a unique set of new challenges and responsibilities that are better addressed proactively than reactively. The need for secure data transmission and stringent measures to safeguard data is glaring. There is no other way forward for the automotive industry than committing more resources and sustained attention to continually building up the processes, technology, organization and talent necessary to implement cybersecurity effectively. Now is the time.
Author: Max Cheng, Chief Executive Officer, VicOne. Max Cheng is a renowned cybersecurity expert with more than 20 years of experience.