By Ling Cheng (Senior Product Marketing Manager)
Have you ever wondered what it really means when a news report reveals that a car manufacturer or supplier has fallen victim to a “zero-click exploit allowing attackers to remotely control vehicles”? It’s an unsettling thought, one that might lead you to question whether your own products could be at risk.
When faced with a scenario like this, product security incident response teams (PSIRTs) often invest significant time and resources. They review threat reports, dissect attack techniques, analyze vulnerabilities, and evaluate potential impacts. This painstaking process forms the foundation for determining whether their products might face similar threats.
What is an attack path, and why is it so challenging to identify?
The key to this process lies in the concept of the attack path. An attack path refers to a series of steps or methods taken by malicious actors to gain unauthorized access to vehicle systems, networks, or sensitive information. For PSIRTs, understanding and analyzing these paths is critical to identifying the root cause of issues and address potential risks. This is also highlighted in ISO/SAE 21434 clause 15.6, “Attack path analysis."
Figure 1. An example of an attack path, a series of steps or methods taken by malicious actors
To track an attack path, PSIRTs must trace suspicious data, compare the potential impacts of different data points, and gradually piece together the full picture of how the attack occurred. However, in practice, identifying an attack path is often far more challenging than it seems. This process involves several arduous steps:
- Manual threat intelligence collection: Dark and deep web intelligence gathering requires human expertise due to its complexity, which limits the role of AI assistance and makes it highly time-consuming.
- Mapping intelligence to vehicle components and vulnerabilities: Threat data must be analyzed to identify incidents, hacker steps, and its relevance to specific vehicle components.
- Analyzing suspicious behaviors and attack paths: Experts evaluate actions and unusual behaviors linked to hacking attempts to anticipate and monitor potential threats.
- Cross-referencing for accuracy: Verification across multiple data sources ensures consistency, especially given the varied naming conventions used by automakers and suppliers.
- Automotive threat matrix integration: Suspicious behaviors are mapped to MITRE tactics, techniques, and procedures (TTPs) via the Auto-ISAC Automotive Threat Matrix (ATM) to outline hacker strategies.
But the challenge doesn’t end there. Different vehicle models often share the same designs or components, requiring the PSIRT to pinpoint which products or components are affected. This involves determining which product departments are impacted and coordinating with the right teams or suppliers for impact assessment, resource allocation, and customer notifications.
Historically, this entire process was manual — and inefficient. Compounding the issue, our threat intelligence monitoring shows a 600% surge in vehicle-related cyberattacks over just four years. As attacks increase and the threat landscape grows more complex, it’s clear that manual processes can no longer keep pace with escalating challenges.
Figure 2. The vulnerability management and product security risk assessment process relies heavily on manual efforts and involves multiple teams and suppliers.
What if critical attack path insights were at your fingertips?
With VicOne's vulnerability management system, xZETA, you can accelerate your efficiency during the identify and assess phase and reduce manual efforts. Now, when relevant news emerges, you can simply click to instantly identify exploitable vulnerabilities, map attack paths, and determine which systems, suppliers, or customers are affected.
VicOne xZETA integrates vulnerability databases with automotive threat intelligence, leveraging AI to automatically correlate your vulnerability data with real-world incidents as they unfold. This enables you quickly answer critical questions, such as:
- What is the best route to mitigating the defects that would result in the least residual risk?
- Would there be changes in code, or should another software package be considered instead?
- Which products or customers are affected?
- Are these defects introduced or caused by a specific Tier 1 supplier?
- Are these defects novel or specific to this firmware, or should I be concerned about other vehicles that are already on the road?
Figure 3. xZETA instantly identifies exploitable vulnerabilities, maps attack paths, and prioritizes fixes.
Read our use case to see how xZETA simplifies attack path analysis, reducing the process from hours to seconds.
