Driving Into the Future: VicOne Automotive Cybersecurity Predictions and Recommendations for 2024

December 15, 2023
CyberThreat Research Lab
Driving Into the Future: VicOne Automotive Cybersecurity Predictions and Recommendations for 2024

As the automotive industry progresses toward software-defined vehicles (SDVs) and increasingly incorporates technologies like AI, the landscape of potential threats is also evolving. The enhanced connectivity of vehicles, which now communicate with other vehicles, road infrastructure, and cloud services, significantly expands the attack surface for malicious actors. This interconnected environment increases the risk of cyberattacks, posing risks across all automotive industry stakeholders. Furthermore, older vehicle models that are less equipped with modern technology present their own challenges. These models often have vulnerabilities that are difficult to patch, posing security risks and potential losses for car makers and owners alike. 

Given these developments, we present below VicOne’s predictions for the types of threats and risks that could impact the automotive industry in 2024, and our recommendations for mitigating them.

Vulnerabilities, cyberattacks, AI risks, and more

  • More hardware vulnerabilities will be discovered. While these are generally more challenging to exploit, they are also difficult to patch. A notable example is Zenbleed, a CPU vulnerability in AMD’s Zen 2 microarchitecture that could lead to leakage of sensitive data from vehicles or even be part of an attack chain to compromise other security measures. AMD’s Zen architecture has been adopted by Tesla, no less, for its latest generation of electric vehicles, so vehicles can indeed be affected by vulnerabilities like Zenbleed. Mitigation: Implementing responsible disclosure and bug bounty programs such as Pwn2Own Automotive can effectively help identify and address these vulnerabilities.
  • Vulnerabilities in open-source software will persist despite the adoption of better practices in the software development life cycle. Mitigation: Strategies like software bill of materials (SBOM) management, over-the-air (OTA) updates, responsible disclosure, and bug bounty programs are essential to managing the risks associated with open-source software vulnerabilities.
  • While OTA updates provide new features and security patches, OTA spoofing will continue to pose the risk of malware implantation in vehiclesMitigation: Establishing a trust infrastructure and validating transferred data are critical steps in preventing OTA spoofing.
  • Insider sabotage or the risk of data leaks by insiders will be a bigger concern. As more user data is stored in the cloud, the potential damage from such leaks, whether inadvertent or deliberate, increases. For example, in April 2023, it was reported that some former employees of a popular electric car company shared, via their internal messaging system, intimate footage of car owners recorded by built-in cameras in their vehicles. Mitigation: Enhanced internal security protocols, regular audits, and employee training minimize the risk of insider threats.
  • Cyberattacks and ransomware incidents will increase. These cyberattacks, affecting both automotive manufacturers (OEMs) and suppliers, have been aimed at breaching infrastructure and stealing data. Vulnerabilities in unsecure cloud endpoints are particularly susceptible. Mitigation: Adopting best practices for system hardening is crucial to preventing these attacks.
  • AI will introduce potential risks in advanced driver assistance systems (ADASs). Although AI has enabled significant advancements in autonomous driving, it is not without its challenges. Instances such as “ghost braking” or failure to recognize obstacles due to AI model glitches are growing concerns. Additionally, AI can be misled by deliberately crafted objects, leading to dangerous situations. Mitigation: Ongoing testing, validation, and updates of AI models are needed to minimize these risks.
  • Despite newer and more secure designs, vehicle entry/immobilizer systems that use unsecure transmission methods will remain. Older key fobs, for example, often rely on a vehicle’s internal message bus, making them vulnerable to attacks such as “CAN injection.” Their signals can be easily cracked, leading to vehicle theft, as seen in the high theft rates of certain car models. Mitigation: Upgrading to more secure entry systems and implementing additional security measures are necessary steps.
  • In gray markets, the trend of unlocking or jailbreaking subscription features will continue to be on the rise. This typically involves configuration, software, or hardware modifications, which can lead to unexpected vehicle behavior. Mitigation: Strengthening security protocols to prevent unauthorized modifications and educating consumers about the risks of jailbreaking are important.

It is apparent that some of the aforementioned threats and risks are more relevant to OEMs and suppliers, while others directly affect end users. The table below specifies the challenges and concerns each group faces, highlighting their respective priorities and impact areas in the context of automotive cybersecurity.

Threat/Risk typeChallenges and concerns for OEMs/suppliersChallenges and concerns for end users
Hardware vulnerabilitiesFocus on production quality and supply chain security to ensure vehicle reliability and safetyConcern about the reliability and safety of their vehicles, impacting their driving experience
Software vulnerabilitiesEmphasizing secure software development practices to prevent software failures and vulnerabilitiesWorry about software reliability affecting vehicle functionality and safety
OTA spoofingEnsuring the integrity of OTA updates to maintain vehicle software security and functionalityConcern about the potential for compromised updates affecting vehicle performance and security
Insider sabotageAddressing regulatory compliance and thwarting internal threats to data and systemsFear of personal data being compromised due to internal breaches or leaks
Cyberattacks/Ransomware incidentsManaging risks of service denial, ransom demands, and damage to reputationConcern over personal data security and the potential for vehicle functionality to be compromised
AI/ADAS risksManaging complex system design and testing to ensure the reliability and safety of AI-driven functionsDependence on the reliability and safety of AI systems for an enhanced driving experience
Vehicle entry/Immobilizer systemsDesigning and implementing secure access controls to prevent unauthorized vehicle accessWorry about the risk of car theft due to vulnerabilities in entry and immobilizer systems
Jailbreaking of subscription featuresDeveloping secure configuration and firmware to prevent unauthorized access and modificationsTendency to modify or unlock features, leading to concerns about unintended system behaviors or vulnerabilities

Table 1. Challenges and concerns faced by OEMs/suppliers and end users concerning automotive cybersecurity

Regulatory compliance as mitigation

From a regulatory perspective, ISO/SAE 21434 mandates that OEMs and suppliers adhere to the “V model” in automotive development, ensuring comprehensive coverage of various threats throughout a vehicle’s life cycle or ecosystem. In addition to ISO/SAE 21434, other industry standards and regulations address these evolving threats. The table below enumerates these and highlights how regulatory compliance can be beneficial in effectively mitigating threats.

Threat/Risk typeRelated industry standards and regulations as mitigation
Hardware vulnerabilitiesISO/SAE 21434, ISO 26262, IEC 61508
Software vulnerabilitiesISO/SAE 21434, ISO 26262, IEC 61508, EN 303 645, UN R155
OTA spoofingISO/SAE 21434, EN 303 645, UN R156
Insider sabotageISO/IEC 27001, GDPR
Cyberattacks/Ransomware incidentsISO/IEC 27001, GDPR, EN 303 645, UN R155
AI/ADAS risksISO/SAE 21434, ISO 26262, IEC 61508
Vehicle entry/Immobilizer systemsISO/SAE 21434
Jailbreaking of subscription featuresISO/SAE 21434

Table 2. Industry standards and regulations that can help mitigate automotive threats and risks

Underscoring API security

While APIs (application programming interfaces) might not fit neatly into the previously mentioned threats and risks, they are still closely associated with them and often serve as the root cause of various threats and risks. APIs play a critical role in decoupling components and services, allowing organizations to segment development more effectively and enhance efficiency. However, neglecting best practices in API management can lead to catastrophic outcomes. This is particularly relevant in scenarios such as the connectivity between car-connected mobile apps and back-end servers, OEM servers issuing OTA updates to vehicles, or querying data from OEMs’ internal servers. 

The threats and risks that can be attributed to API vulnerabilities include: 

  • OTA spoofing: Unauthorized API calls can mimic legitimate OTA update requests. 
  • Insider sabotage: Insiders can exploit API vulnerabilities to access or leak sensitive data. 
  • Cyberattacks/Ransomware incidents: APIs can be a gateway for attackers to infiltrate systems and deploy ransomware.
  • Vehicle entry/Immobilizer systems: API flaws can allow unauthorized access to vehicle control systems.

The security of APIs is indeed integral to the overall safety of automotive systems, influencing a wide range of functionalities and potential vulnerabilities. 

The path forward

It can be noted from our automotive cybersecurity predictions and recommended mitigations for 2024 that, while the automotive attack surface continues to significantly expand, many of the most pressing threats and risks are already well-known. We thus enjoin connected car stakeholders to follow proven security tactics from other industries and take advantage of existing techniques such as regulatory compliance and API management, to ensure that resilience and robustness are in the cards for the future of automotive cybersecurity.

This blog entry is the third and final part of the VicOne Automotive Cybersecurity Report 2023. Read the first part, our paper discussing our research on the extensive automotive data ecosystem, and the second part, our main report on the current automotive cyberthreat landscape, here and here, respectively.

Our News and Views

Gain Insights Into Automotive Cybersecurity

Visit Our Blog

Accelerate Your Automotive Cybersecurity Journey Today

Contact Us