Driving towards disaster? The road ahead for automotive cyber security

Today’s vehicles have in-car technology at their core, some containing as many as over 200 mini computers or electronic control units (ECUs). Cars also feature a plethora of standard technology including cellular capabilities, Wi-Fi, Bluetooth, radio frequency and GPS to name a few. Screens show vehicle information, routes and navigation or music and entertainment. Modern cars are also highly connected to the environment around them and can connect to numerous devices such as mobile phones. The connectivity between cars and the infrastructure around them is only set to deepen.  Currently cars connect to charging points but in future vehicles will connect to each other and to transport infrastructure as well, such as traffic lights and pedestrian crossings.

In the last few years autonomous vehicles have started to appear on our roads and companies such as Telsa and Polestar continue to disrupt the traditional automotive landscape. These cars and services include phenomenal amounts of technology or are supported by a vast technical infrastructure such as the Uber app, which utilises both driver and passenger data. These services are processing incredible amounts of data such as personal addresses, journey details and financial information, with data ripe for advertising segmentation (where have you been?) and insurance (how do you drive?).

So what cyber-attacks could we see in the automotive sector?

• Theft of data from vehicles: this will likely be personal information such as credentials, contacts, location data and other personal information that can be found on connected personal devices or information harvested when passengers use Wi-Fi hotspots.
• Theft of data from manufacturers: cyber criminals and nation states could look to gain financial value or IP from R&D, either to be sold on or used to improve national design capabilities. Other data at risk includes personal information such as client credentials and billing information (from subscription services for infotainment systems) or financial information from sales.
• Infrastructure attacks: an attack which disabled charging stations for example, could have a major impact on brand reputation as well as future sales of electronic vehicles. There is a potential for charging stations to be used to upload malicious code into a vehicle for activation later on. New vehicles sold in the EU after April 2018 have eCall - hackers could take down infrastructure that supports e-Call or concierge services. This is particularly serious for autonomous vehicles that rely on connections back to the cloud to operate correctly.
• Vehicle attacks: such as a Denial of Service attack (DoS) whereby a network is flooded with data causing the systems to crash. These kind of attacks would have a major impact, potentially stopping connected vehicles mid journey, putting other road users and riders at risk of injury. DoS attacks could also be used to disrupt access to vehicles in instances where an owner uses their phone as their ‘key’ or where connections to the cloud are required for vehicles to run.
• Ransomware: the issue of ransomware is not a new concept in cyber security and the impact on an original equipment manufacturer (OEM) and its manufacturing process would be devastating - from stopping production on its manufacturing line to loss of IP, reputational damage and loss of access to critical systems. Furthermore, what would a ransomware attack on a connected vehicle look like? It could stop consumers having access to their cars or it could disable them mid journey causing havoc on streets and motorways.

At the moment we are thankfully only seeing ‘proof of concept’ attacks where vehicles are having functions controlled remotely. Examples of these include breaks being applied remotely, a connected app being used to control heating and climate control functions remotely or the infamous hack where a 4x4 was driven off the road, with the driver still inside! Luckily, these attacks have always been carried out by the good guys, the white hats and ethical hackers. But how long will it be until these attacks are used maliciously, and more worryingly - would we even know? If a police officer turns up at a crash, his first thought is unlikely to be a cyber-attack. However, in the future it might just be possible.

The impact of cyber-attacks on a vehicle is not to be underestimated, not only do they cause damage to both the consumer and the manufacturer, but they have the potential to cause citywide disruption; blocking roads, causing delays and thereby affecting other essential  services.  

Privacy in vehicles – issues for owners and manufacturers

Society is becoming more aware of instances in which they are sharing their personal data. We see cookie alerts when we browse and understand the dangers of over-sharing personal information on social media.  We know that modern vehicles store a variety of information - but who is responsible for the safeguarding of that data?

We have seen news reports citing instances of user data recovered from scrapped car units, and the police commonly recover data from vehicles in a crime scene. What other scenarios might put owners at risk?

• If there is an app associated with a vehicle, does signing out remove that user’s information from the vehicle as well?
• If a consumer is purchasing a second-hand car, can the original owner track or control that vehicle in any way? And if the previous owner didn’t sign out when the new owner purchased the vehicle, who can sign them out?
• If you hire a vehicle what happens when the car is given back at the end of the hire period? Who is responsible for deleting the last driver’s mobile devices from the paired devices list or performing a factory reset of the infotainment unit to remove any entered addresses?

Do OEMs want the publicity when the data of a celebrity, CEO or politician ends up online or in the hands of someone without the best of intentions?

While we are not accustomed to asking such questions across this range of situations, perhaps it could be said that at least some responsibility for personal data lies with the end user. However, manufacturers too have a duty of care to make car owners aware of the risks to their data and to ensure that when data appears removed from a vehicle’s systems, or a factory reset is undertaken, that the data is fully overwritten and inaccessible. Vehicle cyber security isn’t just about protecting the vehicle and its functions but also protecting the data stored within that vehicle.

What can the automotive industry do?

Cyber security considerations should be ingrained throughout the sector. The same principles of cyber protection that are essential to critical infrastructure and corporate cyber security should also be applied to vehicles and their infrastructure. Cyber security should be one of the key foundations of the design of a vehicle, in the same way as we treat car safety. OEM’s should have their vehicles independently tested for cyber security weaknesses, including a Penetration Test against the whole vehicle and its supporting infrastructure, from initial manufacture, through to the servicing levels and dealerships, the vehicle and if electric, any necessary charging stations.

How can vehicle security be improved?

• Encrypt data to support authentication and confidentiality: this includes any communication (and back up channels) to and from the vehicle but also any parts of the vehicle which store user data such as the infotainment system.
• Change default passwords/wireless identifiers: all systems should have unique passwords when they roll off the assembly line, and passwords should not be hard coded into ECU’s. Passwords should not be sequential or related to any identifiers on the vehicle.
• Vehicles should have a secure delete so when they are sold on or after they have been hired, user data can be securely deleted from the infotainment system.
• A vehicle’s systems should be isolated from outside connections unless essential.
• There should be a robust and secure method for remote deployment of vehicle updates.

Cyber security in cars is now a critical consideration as the level of technicality within vehicles continues to rise. Vehicles are thoroughly integrated into the world around them and they can no longer be viewed in isolation. The whole threat model from supply to manufacture through to support needs to be assessed for vulnerabilities, with cyber security checks, penetration tests and red team engagements; all before a car leaves the sales court.  

In a world where all electronic devices can be hacked and huge amounts of personal data is potentially at risk, it seems vehicles are still the new frontier for cyber security.

Author: Carmine Del Guercio – Cyber Security Team