As the automotive industry progresses toward software-defined vehicles (SDVs) and increasingly incorporates technologies like AI, the landscape of potential threats is also evolving. The enhanced connectivity of vehicles, which now communicate with other vehicles, road infrastructure, and cloud services, significantly expands the attack surface for malicious actors. This interconnected environment increases the risk of cyberattacks, posing risks across all automotive industry stakeholders. Furthermore, older vehicle models that are less equipped with modern technology present their own challenges. These models often have vulnerabilities that are difficult to patch, posing security risks and potential losses for car makers and owners alike.
Given these developments, we present below VicOne’s predictions for the types of threats and risks that could impact the automotive industry in 2024, and our recommendations for mitigating them.
Vulnerabilities, cyberattacks, AI risks, and more
- More hardware vulnerabilities will be discovered. While these are generally more challenging to exploit, they are also difficult to patch. A notable example is Zenbleed, a CPU vulnerability in AMD’s Zen 2 microarchitecture that could lead to leakage of sensitive data from vehicles or even be part of an attack chain to compromise other security measures. AMD’s Zen architecture has been adopted by Tesla, no less, for its latest generation of electric vehicles, so vehicles can indeed be affected by vulnerabilities like Zenbleed. Mitigation: Implementing responsible disclosure and bug bounty programs such as Pwn2Own Automotive can effectively help identify and address these vulnerabilities.
- Vulnerabilities in open-source software will persist despite the adoption of better practices in the software development life cycle. Mitigation: Strategies like software bill of materials (SBOM) management, over-the-air (OTA) updates, responsible disclosure, and bug bounty programs are essential to managing the risks associated with open-source software vulnerabilities.
- While OTA updates provide new features and security patches, OTA spoofing will continue to pose the risk of malware implantation in vehicles. Mitigation: Establishing a trust infrastructure and validating transferred data are critical steps in preventing OTA spoofing.
- Insider sabotage or the risk of data leaks by insiders will be a bigger concern. As more user data is stored in the cloud, the potential damage from such leaks, whether inadvertent or deliberate, increases. For example, in April 2023, it was reported that some former employees of a popular electric car company shared, via their internal messaging system, intimate footage of car owners recorded by built-in cameras in their vehicles. Mitigation: Enhanced internal security protocols, regular audits, and employee training minimize the risk of insider threats.
- Cyberattacks and ransomware incidents will increase. These cyberattacks, affecting both automotive manufacturers (OEMs) and suppliers, have been aimed at breaching infrastructure and stealing data. Vulnerabilities in unsecure cloud endpoints are particularly susceptible. Mitigation: Adopting best practices for system hardening is crucial to preventing these attacks.
- AI will introduce potential risks in advanced driver assistance systems (ADASs). Although AI has enabled significant advancements in autonomous driving, it is not without its challenges. Instances such as “ghost braking” or failure to recognize obstacles due to AI model glitches are growing concerns. Additionally, AI can be misled by deliberately crafted objects, leading to dangerous situations. Mitigation: Ongoing testing, validation, and updates of AI models are needed to minimize these risks.
- Despite newer and more secure designs, vehicle entry/immobilizer systems that use unsecure transmission methods will remain. Older key fobs, for example, often rely on a vehicle’s internal message bus, making them vulnerable to attacks such as “CAN injection.” Their signals can be easily cracked, leading to vehicle theft, as seen in the high theft rates of certain car models. Mitigation: Upgrading to more secure entry systems and implementing additional security measures are necessary steps.
- In gray markets, the trend of unlocking or jailbreaking subscription features will continue to be on the rise. This typically involves configuration, software, or hardware modifications, which can lead to unexpected vehicle behavior. Mitigation: Strengthening security protocols to prevent unauthorized modifications and educating consumers about the risks of jailbreaking are important.
It is apparent that some of the aforementioned threats and risks are more relevant to OEMs and suppliers, while others directly affect end users. The table below specifies the challenges and concerns each group faces, highlighting their respective priorities and impact areas in the context of automotive cybersecurity.
| Threat/Risk type | Challenges and concerns for OEMs/suppliers | Challenges and concerns for end users |
|---|---|---|
| Hardware vulnerabilities | Focus on production quality and supply chain security to ensure vehicle reliability and safety | Concern about the reliability and safety of their vehicles, impacting their driving experience |
| Software vulnerabilities | Emphasizing secure software development practices to prevent software failures and vulnerabilities | Worry about software reliability affecting vehicle functionality and safety |
| OTA spoofing | Ensuring the integrity of OTA updates to maintain vehicle software security and functionality | Concern about the potential for compromised updates affecting vehicle performance and security |
| Insider sabotage | Addressing regulatory compliance and thwarting internal threats to data and systems | Fear of personal data being compromised due to internal breaches or leaks |
| Cyberattacks/Ransomware incidents | Managing risks of service denial, ransom demands, and damage to reputation | Concern over personal data security and the potential for vehicle functionality to be compromised |
| AI/ADAS risks | Managing complex system design and testing to ensure the reliability and safety of AI-driven functions | Dependence on the reliability and safety of AI systems for an enhanced driving experience |
| Vehicle entry/Immobilizer systems | Designing and implementing secure access controls to prevent unauthorized vehicle access | Worry about the risk of car theft due to vulnerabilities in entry and immobilizer systems |
| Jailbreaking of subscription features | Developing secure configuration and firmware to prevent unauthorized access and modifications | Tendency to modify or unlock features, leading to concerns about unintended system behaviors or vulnerabilities |
Table 1. Challenges and concerns faced by OEMs/suppliers and end users concerning automotive cybersecurity
Regulatory compliance as mitigation
From a regulatory perspective, ISO/SAE 21434 mandates that OEMs and suppliers adhere to the “V model” in automotive development, ensuring comprehensive coverage of various threats throughout a vehicle’s life cycle or ecosystem. In addition to ISO/SAE 21434, other industry standards and regulations address these evolving threats. The table below enumerates these and highlights how regulatory compliance can be beneficial in effectively mitigating threats.
| Threat/Risk type | Related industry standards and regulations as mitigation |
|---|---|
| Hardware vulnerabilities | ISO/SAE 21434, ISO 26262, IEC 61508 |
| Software vulnerabilities | ISO/SAE 21434, ISO 26262, IEC 61508, EN 303 645, UN R155 |
| OTA spoofing | ISO/SAE 21434, EN 303 645, UN R156 |
| Insider sabotage | ISO/IEC 27001, GDPR |
| Cyberattacks/Ransomware incidents | ISO/IEC 27001, GDPR, EN 303 645, UN R155 |
| AI/ADAS risks | ISO/SAE 21434, ISO 26262, IEC 61508 |
| Vehicle entry/Immobilizer systems | ISO/SAE 21434 |
| Jailbreaking of subscription features | ISO/SAE 21434 |
Table 2. Industry standards and regulations that can help mitigate automotive threats and risks
Underscoring API security
While APIs (application programming interfaces) might not fit neatly into the previously mentioned threats and risks, they are still closely associated with them and often serve as the root cause of various threats and risks. APIs play a critical role in decoupling components and services, allowing organizations to segment development more effectively and enhance efficiency. However, neglecting best practices in API management can lead to catastrophic outcomes. This is particularly relevant in scenarios such as the connectivity between car-connected mobile apps and back-end servers, OEM servers issuing OTA updates to vehicles, or querying data from OEMs’ internal servers.
The threats and risks that can be attributed to API vulnerabilities include:
- OTA spoofing: Unauthorized API calls can mimic legitimate OTA update requests.
- Insider sabotage: Insiders can exploit API vulnerabilities to access or leak sensitive data.
- Cyberattacks/Ransomware incidents: APIs can be a gateway for attackers to infiltrate systems and deploy ransomware.
- Vehicle entry/Immobilizer systems: API flaws can allow unauthorized access to vehicle control systems.
The security of APIs is indeed integral to the overall safety of automotive systems, influencing a wide range of functionalities and potential vulnerabilities.
The path forward
It can be noted from our automotive cybersecurity predictions and recommended mitigations for 2024 that, while the automotive attack surface continues to significantly expand, many of the most pressing threats and risks are already well-known. We thus enjoin connected car stakeholders to follow proven security tactics from other industries and take advantage of existing techniques such as regulatory compliance and API management, to ensure that resilience and robustness are in the cards for the future of automotive cybersecurity.
This blog entry is the third and final part of the VicOne Automotive Cybersecurity Report 2023. Read the first part, our paper discussing our research on the extensive automotive data ecosystem, and the second part, our main report on the current automotive cyberthreat landscape, here and here, respectively.
