2018: A Pivotal Year for Black Hat Cyber Attacks on Connected Cars

2018 will be identified as being the pivotal year for the global automotive industry in terms of cybersecurity. This is the implication of a research report issued by Upstream Security (@UpstreamAuto) that has systematically analyzed 170 publicly reported automotive hacks occurring between 2010 and 2018.

The number of connected cars manufactured each year is increasing, as are the number on the road, and this is reinforced by Europe mandating connected cars as part of their eCall program. As these cars are introduced, they will increasingly be linked to systems that have to work together and, as automotive OEMs introduce new connected features and selling points for consumers, the infrastructure will become more complex. Each new service connected to a vehicle is a new potential entry point for hackers.

As this chart from the report shows, attacks are up six times over the period 2010 to 2018. Although 200 incidents over a decade, and 60 in 2018, do not seem like a cause for concern compared to the number of IT attacks, the impact is much greater, in terms of both risk and ripple effect.

The headline news of such hacks is disturbing as they represent a threat toward human life. One hack could take the lives of not just a driver and their passengers, but also pedestrians, bystanders and other drivers on the road. Of course, there is also the financial impact which could run to billions of dollars.

The study looked at each attack, focusing on the target company, the type of organization, the attack vector used, the damage done, and how the attack was achieved (physical attack, wireless, long-range or other). There were other incidents that have not been reported but, for the first time, a complete list of published automotive hacks is available at the smart mobility cyber attacks repository. This list will continue to be updated and maintained.

The report implies that, with hindsight, the industry will recognize that the writing was on the wall. The reason for this assertion is that, in 2018, the number of incidents conducted by malicious hackers (black hats) eclipsed the number of white hat incidents conducted by researchers. This is the first time in history that this has happened.

Hackers have become increasingly familiar with the components of connected vehicles, and the tools with which to attack this industry. An insight from the report is that cyber criminals are using a diverse set of routes to infiltrate vehicles:

• In 21.4% of attacks, the connected vehicle was accessed remotely by server attacks. Most of these were black hat attacks, with malicious intent. The term “server” covers a wide range of incidents, including telematics command and control servers, smart mobility application services and breached web servers, such as an OEM website. It also covers databases that hold vehicle, customer, code and driver data. This information could be held by a third-party public cloud vendor, or on a private cloud. These attacks are long-range, meaning that attackers don’t need to be in any kind of proximity to the car to access data.

• 8% of attacks are keyless entry, where a thief can gain entry to a car without using a key for either the door or the ignition switch. With the rise of keyless entry in modern vehicles, this method is gaining the attention of cyber thieves.

• 5% of attacks are via the OBD port, which means the hacker must have initial physical access to the vehicle. Once this physical connection has been made, it can result in car theft or the injection of malicious CAN bus messages to manipulate car system behavior.

• 8% of attacks are against OEMs’ mobile applications that allow vehicle owners to take control of various features of their car remotely, for accessibility and ease of use. In this case, the hackers breach the app itself and reverse-engineer it to uncover vulnerabilities, then use this to access a car.

Another insight from analyzing eight years of data is that the entire ecosystem of smart mobility companies is at risk from cybersecurity vulnerabilities. Attack headlines may highlight OEMs, but exploiting vulnerabilities in back-end servers and front-end vehicles will impact Tier 1 suppliers, fleet operations, telematic service providers, car sharing companies and public and private transportation providers. Companies operating commercial ride share fleets are open to fraud attacks. As an example, one hacker breached a car-sharing company database and used existing member credentials to ride for free. Beyond the fraud aspect is the vulnerability of user data, and the threat to companies for infringement or non-compliance to GDPR regulations.

Remote attacks through smart mobility services will increase substantially, with back-end servers, telematics servers and mobile apps continuing to face attacks, such as ransomware and unauthorized access. In fact, 42% of black hat incidents involved a back-end server.

Clearly, the most important issue is control over car systems. Currently, as many as 27.6% of incidents involve vulnerabilities or breaches to these systems. While some introduce low physical risk, such as the unlock function, others can attack the brakes, airbags or the acceleration of a vehicle. Increasingly, these attacks are long range and, in the case of black hat infiltrations, 91% are wireless.

The Upstream Security report provides a great deal of valuable data and insights, including predictions for 2019. The key takeaway is the urgent need for a comprehensive end-to-end ecosystem perspective on security that addresses cloud, network and in-vehicle security. This is something that the broader automotive industry ecosystem will have to address.