Today’s modern car has evolved into a multifunctional machine that not only brings people to their destination but also houses complex systems that can connect to other vehicles, mobile devices, traffic infrastructure, and cloud networks. This has given rise to new demands for modern features, compelling the automotive industry to keep up by continuously developing and releasing smart car designs. But keeping up with these demands is not the only challenge that the industry is currently facing — an even greater one looms on the horizon, making it imperative for the automotive industry to fortify its cybersecurity.
Car connectivity has changed the way we interact with the world through our vehicles. The addition of modern features like internet access, app-based remote monitoring and management, and autonomous driving has created a new gateway to cyberspace and increased connected car owners’ dependency on different kinds of software. Indeed, every car sensor or connection needs to be supported by software in an engine control unit (ECU). But as with all technological developments, this dependency also opens up new vulnerabilities that put connected cars at risk.
Since today’s vehicles are automatically connected when they come within range of either a cellular network or a short-range radio frequency channel (similar to how smart devices connect to Bluetooth or Wi-Fi), this connection opens up opportunities for unscrupulous parties to take advantage by intercepting and stealing information, disrupting a car’s normal functions, or even endangering the lives of car owners.
Cybersecurity researchers have identified the following as some of the current challenges to and possible attack vectors in connected cars:
- Highly tiered supply chain systems. A vulnerability in one component would require all involved tiers to release a fix — all the way to the OEM. All ECU firmware would also need updating, thereby causing deployment delays.
- Unsecure ECU interconnection protocols. Some early protocol designs for ECU interconnections lack certain cybersecurity features. As a result, data transfers are not encrypted, while senders and receivers are unauthenticated.
- Unsecure aftermarket products and services. Most devices installed in cars, such as Bluetooth- or Wi-Fi-capable multimedia devices, run on unsecured or outdated firmware, which could be an entryway for attackers.
Researchers have also collected findings on varying techniques for exploiting security weaknesses and other possible attack scenarios, such as the following:
- Hardware and software systems
- Controller Area Network (CAN) bus
- Applications
- In-vehicle components
- Wireless network protocols
To help the automotive industry adopt appropriate cybersecurity measures and best practices for ensuring the safety of users, ISO/SAE 21434 “Road vehicles – Cybersecurity engineering” was created. This standard comprises a set of guidelines for securing high-level processes in the design, manufacturing, maintenance, and end-of-life phases of vehicles and aims to help fulfill safety level requirements among connected cars. Over 80 organizations have participated in documenting this standard in order to support the automotive industry in securing its systems and processes across the automotive ecosystem. Trend Micro’s research titled “ISO/SAE 21434: Setting the Standard for Connected Cars’ Cybersecurity” elaborates on updates on the sectional structure and details of this standard to provide further insights and recommendations.
This new era of connected cars has indeed opened various opportunities for advancement in in-vehicle technology but has simultaneously unveiled some weaknesses in the cybersecurity realm. To defend future connected cars from ever-evolving attacks, security analysts, researchers, and car manufacturers must work together not just to stay updated on the latest standards but also to anticipate how attackers might abuse critical gaps in the connected car life cycle.
Visit our resource center to read more automotive cybersecurity research and gain insights on relevant guidelines for the automotive industry.