The Road Ahead Is Paved With Risky Data
VicOne Automotive Cybersecurity Report 2023
Untangling the Automotive Data Ecosystem
The automotive data ecosystem
The automotive data ecosystem is a vast network of automotive industry entities that are interconnected by data flows. The entities include vehicles, manufacturers (OEMs), Tier 1 (T1) and Tier 2 (T2) suppliers, data brokers, and data consumers. Extending far beyond OEMs and T1/T2 suppliers, the automotive data ecosystem reaches a wider landscape involving consumers, third-party service providers, and emergent applications and products.
In this ecosystem, vehicles have evolved into more than just generators of data — they have turned into consumers and transmitters of large volumes of data as well. As such, vehicles must be considered and handled as complex data hubs.
Indeed, in the paper “Automotive Data: Opportunities, Monetization, and Cybersecurity Threats in the Connected Vehicle Landscape,” written by researchers from Trend Research for VicOne, the massive extent of this ecosystem is itself a major revelation.
Extracting Value
From Automotive Data
To better comprehend the implications of the expansive automotive data ecosystem, we must see what categories of information flow within this network of interconnected entities. To that end, we have included in our research paper a list of data categories and data fields, such as location (GPS), engine, fuel, battery, driver behavior, diagnostic trouble codes (DTCs), and tire pressure monitoring (TPM).
In our research paper, we also discuss the data hunting method that resulted in these categories. The researchers detail the discovery of API calls between vehicles and OEM/T1/T2 clouds in Trend Micro telemetry data and of instances of vehicle data leakage on public MQTT (Message Queuing Telemetry Transport) servers, among other real-world examples.
When it can be used to discover new insights, data becomes truly valuable. We illustrate this using examples of how the automotive industry and even other industries can find value from automotive data by combining different data fields to extrapolate more data types and generate better insights.
Extrapolated Data
Combined Data Fields
Fuel efficiency
=
GPS+
Engine+
Fuel consumption
Emissions analysis
=
Engine+
Fuel+
Driver behavior
Optimal routing
=
GPS+
EnginePredictive maintenance
=
Engine+
GPS+
DTCsDriver performance
=
GPS+
Engine+
Fuel+
BrakingElectric vehicle range
=
Battery+
GPS+
Driver behavior
Tire health status
=
Tire pressure
+
TPM warnings
Micro weather
=
Wipers+
Braking+
External temperature
Parking analytics
=
Vehicle status
+
GPSTraffic predictor
=
Vehicle performance
+
GPSVehicle security status
=
Doors+
Trunk+
Windows+
GPSExtrapolated information from different vehicle data types
From such vehicle data types, the automotive industry can draw insights and produce innovative business models. The automotive industry can even expand to data-driven products and services that can be useful in other industries, such as banking and logistics.
Exposing the Cybersecurity Risks
of Automotive Data
One of the main goals of this research is to look at the ramifications of the automotive data ecosystem for the security of connected cars. The development of data monetization in the automotive industry can lead to stronger revenue growth, but it can also motivate cybercriminal activity. Should monetization of this data continue to rise, we expect that the first large-scale attacks against connected cars will involve data. It is not hard to imagine what kinds of risks this data might present if it falls in the hands of cybercriminals.
A chief concern is the lack of awareness among drivers that such an intricate ecosystem already exists. This hampers their ability to control their data and jeopardizes their privacy. Compounding this issue is that current legislations and regulations do not adequately address the use and collection of vehicle data.
Here are our recommendations for improving automotive data cybersecurity:
- Implement robust data protection measures. It is vital to implement robust data protection measures as vehicles become more advanced.
- Inform users. OEMs and other stakeholders should inform users about data collection practices, potential risks, and how to protect their data.
- Secure vehicle APIs. APIs are a common point of access for cybercriminals. Therefore, securing vehicle APIs should be a priority.
- Regulate data collection and usage. There is a need for clear regulations governing the collection, storage, and use of vehicle data.
- Develop secure middleware APIs. APIs should be designed with security in mind, including strong authentication and encryption, to prevent unauthorized access.
The automotive data ecosystem is an expansive and dynamic sector within the automotive industry, and is a major consideration in addressing cybersecurity gaps. Striking a balance between the innovation paved by this data and preserving the privacy and trust of drivers is essential in navigating the way forward.
Numaan Huq, Vladimir Kropotov, Philippe Lin, and Rainer Vosseler from Trend Research’s Forward-Looking Threat Research (FTR) tackle the automotive data ecosystem and its far-reaching implications in the research paper “Automotive Data: Opportunities, Monetization, and Cybersecurity Threats in the Connected Vehicle Landscape.”
Download the full paper
This research paper is part of the VicOne Automotive Cybersecurity Report 2023. Stay tuned as we will be updating this report with insights from publicly reported incidents from this year to give a wide-ranging view of the risks, threats, and challenges faced by the automotive industry and its data ecosystem.