New VicOne Cybersecurity Report Reveals Growing Automotive Data Exploitation, as Industry Examines Cyberattacks and Security Measures
VicOne Automotive Cyberthreat Landscape Report 2023 reveals supply chain as major source of growth in automotive cyberattacks
DALLAS & TOKYO — VicOne, an automotive cybersecurity solutions leader, today announced the availability of VicOne Automotive Cyberthreat Landscape Report 2023. Based on data from automotive original equipment manufacturers (OEMs), suppliers and dealers globally, the comprehensive VicOne report details:
- Growth in usage and monetization of automotive data—and, in turn, threat of exploitation by cybercriminals
- Trends and incidents that have arisen this year in the dynamic automotive cyberthreat landscape
- Predictions of upcoming developments and key focus areas for an effective cybersecurity strategy for the next year and beyond
“In our analysis of the threat landscape, we noticed that the losses from cyberattacks in the first half of the year exceeded US$11 billion, marking an unprecedented surge compared to the last two years,” reads VicOne Automotive Cyberthreat Landscape Report 2023. “A closer examination reveals that these cyberattacks predominantly targeted automotive suppliers, indicating a rising trend. Alarmingly, over 90% of these attacks were not aimed at OEMs themselves but rather at other entities in the supply chain. Attackers often find it difficult to penetrate well-protected companies, so they target less vigilant firms instead. But OEMs are affected all the same, because of the supply chain disruptions. Consequently, defending systems against cyberattacks is no longer just about securing an individual firm; it is about strengthening the entire supply chain.”
Figure 1. VicOne 2023 Automotive Cyberthreat Landscape Report notes that over 90% of automotive cyberattacks were not aimed at OEMs but at other companies in the supply chain.
The new VicOne report untangles the cybersecurity issues developing along with the increasing complexity of vehicles and their integration of connectivity, automation and advanced driver assistance systems (ADAS). It shows that industry losses are growing from cyberattacks such as ransomware and exposure of leaked data or personally identifiable information (PII), as well as costs associated with system downtime. The calculations in VicOne Automotive Cyberthreat Landscape Report 2023 are based only on tangible costs related to technology and operations and not intangible costs such as branding, public relations, sales and marketing expenses.
The report identifies the top vulnerabilities by which vehicle data can be compromised, listing common weakness enumeration (CWE) vulnerabilities in tables. Out-of-bounds write (OOBW), out-of-bounds read (OOBR), buffer overflow, use after free and improper input validation vulnerabilities are among the most frequent issues that VicOne documented. Most of the issues were found on chipsets or systems-on-chip (SoCs), followed by vulnerabilities in third-party management applications and in-vehicle infotainment (IVI) systems. Third-party suppliers—including logistics providers, service providers and companies engaged in the production of components, accessories or parts—have emerged as a growing focus of attacks.
The VicOne report presents case studies on some of the key incidents from the last year, including the Zenbleed vulnerability, potentially leading to the leakage of sensitive data at a remarkably fast rate of 30kb/s per core; CAN bus injection, emerging as a favorite technique among vehicle thieves; and penetration of backend cloud infrastructure, by exploiting vulnerabilities in telematics systems and application programming interfaces (APIs).
While noting that there is currently a regulatory vacuum when it comes to vehicle data, the VicOne report points out that UN R155 will mandate safety conditions for newly manufactured cars by July 2024.
“It’s clear that the automotive industry needs to give higher priority to cybersecurity, in terms of resources and budget. That is something that must be happening continually—building up the processes, building up the organization, building up the talent, building up the entire system—or you will never be able to implement cybersecurity effectively,” said Max Cheng, chief executive officer of VicOne. “Now is the time for organizations throughout the global automotive industry to get serious about exploring how to build up their capabilities across the important focus areas that our new report covers.”
VicOne Automotive Cyberthreat Landscape Report 2023 is available at https://vicone.com/reports/automotive-cybersecurity-report-2023.
With a vision to secure the vehicles of tomorrow, VicOne delivers a broad portfolio of cybersecurity software and services for the automotive industry. Purpose-built to address the rigorous needs of automotive manufacturers, VicOne solutions are designed to secure and scale with the specialized demands of the modern vehicle. As a Trend Micro subsidiary, VicOne is powered by a solid foundation in cybersecurity drawn from Trend Micro's 30+ years in the industry, delivering unparalleled automotive protection and deep security insights that enable our customers to build secure as well as smart vehicles. For more information, visit vicone.com.