By Numaan Huq, Vladimir Kropotov, and David Sancho (Senior Threat Researchers, Trend Micro), and Rainer Vosseler (Manager, Threat Research, Trend Micro)
Technological improvements in automation and connectivity have contributed to the rapid development of new smart features in connected cars. Connected cars have thus become prolific data-generating machines: From data on geolocation, speed, acceleration, engine performance, fuel efficiency, and other operational parameters, they’ve essentially become data centers on wheels. According to a McKinsey report, a connected vehicle processes up to 25 gigabytes of data per hour. Present circumstances have consequently opened doors to potential cyberattacks, placing connected cars at risk, as vehicular networks have begun to resemble traditional IT networks. In this VicOne blog entry, researchers from Trend Micro’s Forward-Looking Threat Research (FTR) team explore cybercrimes against connected cars in the underground now and in the foreseeable future.
Current and future attacks against connected cars in the underground
We have heard of security researchers devising creative attacks or proof-of-concept exploits aimed at connected cars for quite some time. While there had been reports of crimes related to connected cars, like a car theft in July 2022 enabled by a technique known as CAN injection, the only “cyberattacks” involving connected cars we’ve found being discussed of late on underground forums are ones that fall under car modification aka car modding. Car modding is performed by enthusiasts to unlock vehicle features and manipulate mileage. They hack embedded car features, for example, to enable functionalities like car seat heating, a feature that automotive manufacturers (OEMs) offer as an upgrade for a fee, or to tweak the software to lower mileage. While this kind of manipulation negatively affects the profits of OEMs, it doesn’t really target connected car users, which makes us question whether car modding activities can be classified as attacks in the first place.
Figure 1. A post on a car modders’ forum by a user requesting help to remove the speed limit of a particular car
Figure 2. A post on a car modders’ forum by a user sharing a tool for generating code for updating car maps
Let’s dive deeper into a traditional criminal’s business model as we understand it today. If a conventional (non-connected) car is stolen, criminals have the following options:
- Resell the car locally, within the same country. (This is scarcely done in developed countries, as vehicles are easily traced and arrests are easily made. Vehicles are almost always shipped abroad.)
- Export the car to another country.
- Sell the car for parts.
- Use the car to perpetrate other crimes, such as ram-raiding and drug transportation.
The options are markedly different when a connected car is stolen:
- Connected cars are permanently online and rely on connectivity to enable certain features, which means they are often trackable. Stolen connected cars have a high recovery rate, with Tesla being a case in point with a recovery rate of just under 98%, about 40 percentage points higher than the US national average rate, including traditional vehicles. Connected car thieves would be hard-pressed to find buyers for a stolen vehicle within the same country because law enforcement can easily locate it. Also, if the criminals succeed in taking the car offline — not an easy feat but theoretically doable — chances to resell it are low because the buyer wouldn’t be able to access certain features. Exporting it is a possibility but, again, the car might be put offline, and the resultant loss of features would prevent potential buyers in faraway places from buying it.
- Connected cars require the creation of user accounts to manage their online features. Gaining access to user accounts might allow attackers to achieve some degree of control over the cars, such as the ability to unlock their doors or start their engines or motors remotely. This scenario presents criminals with new options: user impersonation and buying and selling of user accounts.
For now, takeover of car user accounts is one avenue that cybercriminals can exploit. Gaining unauthorized access to a car user account might enable cybercriminals to locate a car, and then use the information to break into it and sell it for parts or sell it to other criminals for use in one-off crimes. Access to a user account can also aid malicious actors in finding out the owner’s home address and knowing when the owner is not there. This scenario presupposes collusion between cybercriminals and traditional criminal gangs to pull it off. This is not far-fetched as we’ve seen this kind of cooperation in ATM heists before, as in the infamous Carbanak and Cobalt malware attacks that targeted more than a hundred institutions worldwide and resulted in the conspiring gangs’ amassing over a billion euros.
Obtaining unauthorized access to online accounts of connected car users and selling it to malicious actors who can then leverage the information is another route that cybercriminals might take as a logical way to expand their business.
|Current attacks found being widely discussed on underground forums
|Possible attacks that might gain traction on underground forums in the future
|Car modding (manual car hacking) to:
|Selling of connected car user accounts to malicious actors who can then:
Table 1. Current attacks we found being widely discussed on underground forums and possible attacks that might gain traction on underground forums in the future
The cybercriminal underground market for connected car data
Our research also led us to survey cybercriminal underground forums in search of attacks against OEMs. We found cases of compromised networks and selling of VPN access, but the forum discussions indicated only typical monetization models of IT assets. This suggests that cybercriminals have yet to see the value of connected car data or an observable market demand for such data.
We have yet to see any instance of malicious actors obtaining unauthorized access to car user accounts. Based on what we’ve observed, there have been only random data dumps by cybercriminals that have no relation to connected car data being collected and kept by OEMs.
Figure 3. A post on a cybercriminal underground forum by a user offering a data dump from an OEM (recreated as the post has been taken down)
Figure 4. Posts on a cybercriminal underground forum by a user selling VPN access to a car manufacturer’s network (as indicated in the forum thread)
While the cybercriminal underground market for connected car data is still in its infancy, we reckon that this period won’t last long. We expect that connected car data will become very valuable when third-party entities start using vehicle data extensively. For example, when a bank uses vehicle data to determine the loan renewal terms or asset value for a vehicle, the vehicle data gets a new life and the effective connected car data ecosystem significantly expands. Cybercriminals will very quickly realize this, and their first attempts at exploiting vehicle data will promptly spring up. All the pieces and technology pillars have been laid out in front of the criminals. It is only a matter of time before malicious actors begin to stake their claim in a vastly lucrative field.
Protecting connected car users’ data
Crime analysts often cite the triangle of crime when investigating criminal cases. This notion asserts that for a crime to take place, there must be a desire to commit it, a target of the crime, and an opportunity to commit the misdeed. Currently, connected car users are not the targets of cybercriminals yet because they don’t make up the majority of the total car market now. But their number is steadily growing, and they will soon be commonplace. The opportunities to exploit connected cars already exist, even if cybercriminals have not realized it yet. Cybercriminals already know how to seize control of other types of user accounts through methods they’ve deftly used multiple times before, such as phishing, information theft, and keylogging. As for the desire, there are ways for malicious actors to make money from gaining access to connected car users’ data, but they have not found them yet. Cybercrimes against connected cars will start to pick up once cybercriminals figure out how they can exploit existing vulnerabilities.
At present, the biggest security risk exists in the level of protection of connected car users’ data rather than in the cars themselves. But this might change in the next three to five years as the connected car data ecosystem inevitably expands.
For OEMs and cybersecurity professionals, this means that securing connected car data is paramount even at this nascent stage. One way of doing so is implementing multifactor authentication with connected car user accounts to create an extra layer of protection.
As discussed here, attackers can employ many ways to obtain access to car users’ data, and these include using malicious in-vehicle infotainment (IVI) apps and exploiting unsecure IVI apps and network connections. OEMs can employ smart cockpit protection solutions to detect and block malicious apps that enable attackers to access private data stored in vehicles’ IVI systems. Also, attackers can take advantage of unsecure browsers to steal private data, as discussed in a previous VicOne blog post. Connected car users can also opt for smart cockpit protection solutions that can regularly scan for web browser vulnerabilities and provide users with timely alerts to prevent them from accessing malicious websites.