In cybersecurity parlance, a vulnerability is a weakness within a system or network that can be exploited by hackers or other threat actors to gain unauthorized access, cause harm, or engage in other malicious actions. Vulnerabilities are often categorized based on public awareness. Publicly known vulnerabilities are widely acknowledged within the global cybersecurity community. This knowledge is shared with relevant stakeholders, enabling those responsible for the affected system’s security to patch the vulnerabilities promptly. In contrast, zero-day vulnerabilities are often discovered and exploited by malicious actors before defenders become aware of them. Such vulnerabilities pose significant risks, impacting the entire supply chain.
In this blog entry, we highlight the types of vulnerabilities common to the automotive industry. While some of these may share commonalities with those in other industries, the complexity of modern connected cars demands a more comprehensive understanding of their evolving threat landscape. Initiatives such as Pwn2Own Automotive play an indispensable role in exposing more undisclosed vulnerabilities and addressing them head-on.
Here are common vulnerabilities in the automotive industry and some of their specific examples:
- Information leakage vulnerabilities: Information leakage is the exposure of sensitive information, inadvertent or otherwise. This may not seem critical at the onset, but even minor leaks, like those involving vehicle identification numbers (VINs), user email addresses, or time zones, can have significant consequences. For instance, in 2022, researchers demonstrated how a vehicle could be unlocked using just the VIN, exploiting flaws in a service provider’s cloud service.
- DoS vulnerabilities: Denial of service (DoS) occurs when a system’s resources are overwhelmed, making it unavailable to its intended users by any means necessary. In an automotive context, DoS vulnerabilities often stem from poor system design or insufficient capacity. For example, in early 2023, a researcher discovered that inserting a USB pen drive with a specially crafted media file into an infotainment system could shut it down, demonstrating a DoS vulnerability.
- Hard-coded credential vulnerabilities: Hard-coded credentials are embedded, unchangeable credentials within a system, which can be a security risk. These are common in higher-level devices within vehicles. Examples include passwords or keys used for debugging or developer functions, which are often identical across devices, families, or product lines. The uniformity of access across multiple devices typically arises from a lack of security awareness and can lead to various breaches.
- Stack overflow vulnerabilities: Stack overflow is a programming error where a program writes more data to a buffer located on the stack, a memory structure found in almost all electronic devices, than what is actually allocated, leading to a breach. When a program exhausts its allocated memory, it can behave unpredictably or even execute malicious scripts. Stack overflow vulnerabilities often result from improper software design. VicOne’s research team has successfully exploited a stack overflow in an automotive head unit to run arbitrary code.
- Command injection vulnerabilities: Command injection enables a malicious actor to execute arbitrary commands on the host operating system via a vulnerable application. Command injection vulnerabilities can lead to severe consequences due to inadequate security mechanisms upholding the basic principles of confidentiality, integrity, and availability (CIA). An example is the CAN bus injection attack where attackers can exploit vulnerabilities in the CAN bus through a car’s headlights.
These vulnerabilities emphasize the importance of robust and resilient automotive cybersecurity in protecting connected vehicles against various forms of cyberattacks. Addressing these vulnerabilities is crucial to ensuring the security and safety of automotive systems and networks.
To read more research on other possible vulnerabilities in connected vehicles and learn best security practices, visit our resource center.