New technologies that are becoming more readily available can be exciting for consumers to finally experience. However, these innovations in the automotive industry come at a cost. As digital technologies have become more universal, the associated risks have also expanded.
Unlike vehicles from the past that required a driver and were powered by gas, new vehicles may be fully autonomous soon and communicate with other vehicles. These powerful technological advances open up a whole new set of vulnerabilities and challenges the automotive industry will have to meet going forward.
Automotive Innovations Driving the Increased Risk of Cyberattacks
Connected vehicles are one of the primary challenges coming out of developments in the automotive industry. Connected vehicles exist in different forms. At their most basic, they either communicate with other vehicles or other devices and systems. These wireless communication processes make the cyber risk associated with these vehicles clear. Cybercriminals and bad actors can use the connectivity of these vehicles to gain access to critical systems in the vehicle, including braking, steering, and the engine.
One problem with connected vehicles is that once they are breached, hackers can move laterally through the vehicle’s systems and then potentially attack other systems that are also connected. For example, many cars and vehicles can connect to smartphones via Vehicle-to-Everything (V2X). By attacking a single vehicle, hackers can gain access to other potential targets like cell phones.
Another concern with connected vehicles is that they often communicate Vehicle-to-Vehicle (V2V), as well. This means that an attacker who gains access to a vehicle can then potentially attack other vehicles too. Lateral movement through a network is of primary concern for cybercrime, and connected vehicles represent a particular risk to this type of attack.
Electric vehicles are quickly becoming a standard feature of today’s automotive industry. Recently, electric car sales have slowed due to soaring energy prices and a lack of affordable cars. Furthermore, although 59% of Americans have a credit score over 700 right now, increasing debt is causing these scores to drop and making it harder to finance new electric vehicles. That said, experts still agree that EV sales will continue to drive the global car market.
Electric vehicles are powered by electronic devices and network systems that ensure these cars operate efficiently. For example, Tesla offers regular software updates to ensure proper vehicle performance. But these systems that give electric vehicles a performance edge are also what make them so vulnerable in the first place. Whether it’s a battery pack, commercial charging station, or remote servers used to communicate with vehicles, all of these systems act as vulnerabilities.
When bad actors target these systems, they can lower the vehicle’s battery life, inhibit charging at a public station, or gain control of the entire vehicle using WiFi. Public charging stations make a particularly vulnerable attack vector because they can be targeted similarly to how hackers target ATMs to steal data. These subsystems must be considered when developing a cybersecurity plan for the automotive industry.
Highly Autonomous Vehicles
Although Tesla does not expect full self-driving cars for consumers to go to market this year, highly autonomous vehicles are still quickly appearing on more and more street corners. Waymo and GM’s Cruise both operate driverless vehicles on public roads, and although limited in their scope, these autonomous vehicles represent a particular challenge for cybersecurity experts. The issue with these technologies is that they rely on artificial intelligence (AI) and machine learning (ML) to function. AI and ML are both particularly vulnerable to evasion attacks and sensory manipulation.
Just like a person, an AI relies on external inputs to understand its environment. When hackers attack an autonomous vehicle, they can hijack its sensors - either making the vehicle stop in its tracks or taking total control. By taking control of these vehicles, bad actors and cybercriminals can do extreme damage. Securing AI technologies and ML is essential to protecting the future of highly autonomous vehicles.
Primary Cyber Threats for Automotive Manufacturers
How are attackers gaining access to these critical systems? To eliminate these cyber threats, it’s key to begin by identifying where these attacks originate from. Automotive manufacturers will have to continue ensuring that the vehicles of tomorrow are safe for everyone to use by minimizing these threats.
A consistent threat to digital systems everywhere is phishing attacks. Unlike brute force hacking, phishing relies on social engineering to trick users into opening emails, links, or other messages that can be used to acquire login information or execute malware.
Phishing attacks are particularly dangerous for the automotive industry because hackers can potentially gain access to an unlimited number of systems if their attack is successful. Even the central server controlling autonomous vehicles could be affected by the right phishing attack. And worse still, due to their nature, phishing attacks can really only be prevented by properly training people to screen for them and not giving up their information freely.
Brute Force Attacks
In contrast to phishing, which rely on tricking people into giving up their information, brute force attacks are where hackers directly penetrate a system and gain access. Brute force attacks are the single most frequently occurring type of attack in the U.S. automotive industry. These attacks target known system vulnerabilities or will use password stuffing to attempt to gain login access. Brute force attacks are becoming increasingly sophisticated thanks to AI, ML, and newer processors and graphics cards that can make attacks at alarming speeds.
Embedded systems and other types of specialized software can be particularly vulnerable to brute force attacks if they do not have a password “cool down” to prevent repeated accesses from occurring. By using these types of attacks, cybercriminals can gain access to any number of automotive systems.
Ransomware is increasingly becoming more common as a way for hackers to bolster their finances. Unlike other attacks, which seek to retrieve data and resell it on the black market, ransomware takes control over systems until a ransom is paid. Today, one of the most dangerous aspects of ransomware has become Ransomware-as-a-Service (RaaS). With RaaS, cybercriminals sell their ransomware services and then take a cut of the ransom once it has been paid.
Ransomware and RaaS can be dangerous for the automotive industry because the vehicle itself may become ransomed. Companies can experience tremendous disruptions when their cloud services are disrupted, but imagine the costs of having an entire fleet of vehicles shut down. Auto manufacturers looking to avoid sales objections should keep cybersecurity at the front of their priorities.
Enhancing Automotive Cybersecurity
The automotive industry is using cybersecurity best practices and developing some practices of its own to meet some of these challenges. Recently, the International Standardization Organization (ISO) and the Society of Automotive Engineers (SAE) published their standard that lays out cybersecurity regulations and requirements for automotive vehicles. Adhering to these standards can help automakers come together and make 21st-century vehicles safer for everyone.
Other technologies, like blockchain, can play a role in security too. For example, blockchain technology can help secure transactions occurring through automotive networks. Other simple well-known technologies, such as strong passwords, encrypting data, and multi-factor authentication, can also make the automotive industry more resilient to cybercrime.
Lastly, the most important thing that anyone, including the automotive industry, can do to prevent cybercrime is to leverage human resources to help train employees on the importance of digital security. Training is key to helping everyone understand the importance of cybersecurity and minimizing cyberattacks.
Note: This blog article was written by a guest contributor for the purpose of offering a wider variety of content for our readers. The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of GlobalSign.