By Spencer Hsieh (Staff Threat Researcher, Automotive)
This year’s edition of WCX (World Congress Experience), SAE International’s annual conference for the engineering community of the automotive industry, recently took place at Huntington Place in Detroit, Michigan, from April 18 to 20. It provided a good opportunity for industry watchers to observe the newest technological developments in their field. In this blog entry, we discuss from a cybersecurity perspective the potential impacts of and risks from these latest developments and how the automotive industry can take a page out of the IT industry’s book in battling against similar security issues.
As pointed out during the keynote speech by Arm’s Dipti Vachani, one of the most important developments is software-defined vehicles (SDVs). Just like software-defined networking or software-defined radio, SDVs provide a convenient way to add new features to existing vehicle designs by only enhancing the software. This can greatly reduce development costs because it usually takes much longer to alter hardware design than software design. However, the reliance on software might also introduce new security issues.
The keynote speaker highlighted an oft-repeated set of interesting numbers: The software of a modern vehicle contains 100 million lines of code, compared to only 14 million lines for the flight software of a Boeing 787 passenger aircraft, and this number can even be five to 10 times higher for a fully autonomous vehicle.
These numbers illustrate the magnitude of the software code in a modern vehicle. Of course, it is impossible to write such a large amount of code from scratch. Engineers must rely on existing software libraries from other vendors or open-source projects. Therefore, learning how to write secure code and how to mitigate the risk from using software libraries from other sources is critical.
This is not a new security issue for the IT industry. Thousands of vulnerabilities are reported through the CVE system each year. And there are many high-profile cases of vulnerabilities existing in popular open-source software libraries, such as Heartbleed and Log4Shell. The problem with such incidents is not only their extent but also the difficulty in fixing them. The IT industry has struggled with this problem for a long time and the automotive industry may leverage some of the experience learned by the IT industry.
ADASs and autonomous vehicle systems
Advanced driver assistance systems (ADASs) and autonomous vehicle systems are among the biggest topics during the conference, with around a dozen technical sessions dedicated to them.
The purpose of ADASs is to assist drivers through the use of various kinds of sensors. It can prevent accidents and injuries by reducing human errors. Autonomous vehicles leverage many ADAS techniques, enabling the vehicles to drive by themselves without human intervention.
It is no surprise that ADASs and autonomous vehicles rely heavily on AI to make decisions, and most of the security issues of AI also apply to ADASs and autonomous vehicles. One of the most important security issues of AI is privacy. Using real customer feedback to fine-tune AI models is one of the most effective methods to improve the performance of AI systems. For example, two of the biggest tech companies in the world were reported to have listened to customers’ conversations with their AI-powered products in order to enhance their products. And more recently, employees of a popular electric car company were reported to have shared via their internal messaging system sensitive images collected from customers’ cars. These incidents highlight the potential risks from collected data. A serious privacy issue might emerge if the feedback data is not properly protected.
Another hot topic during the conference was electric vehicles (EVs). Given the advancements in technology and pushes from governments around the world, most automotive manufacturers have developed plans to shift their major products from traditional combustion vehicles to EVs. However, the adoption of EVs could bring not only new opportunities but also potential cybersecurity risks for the automotive industry.
One of the most likely potential cybersecurity risks involves the charging network for EVs. It has long been proved in the IT industry that the introduction a new communication interface also brings with it a new attack path. EVs are not the only products that have the charging issue; so do the mobile phones in people’s hands. One of the most effective methods of bypassing various kinds of protection measures and intruding on a mobile phone is through its charging port. This is the reason that the FBI recently advised people to avoid using free charging stations in airports, hotels, and shopping centers. This kind of attack could apply to EVs as well. But while most charging stations for mobile phones are provided free of charge, the energy from charging stations for EVs is much more costly and unlikely to be provided free. Therefore, malicious actors might not only attack EVs from charging stations but also attack a charging station itself to steal energy.
Learning from history
There are other potential cybersecurity risks that the automotive industry needs to face when adopting other new technologies. For example, new communication interfaces brought by vehicle-to-everything (V2X) will also result in new potential attack vectors. Although there are already some real cases against vehicles, such as attacks against keyless systems, many attack scenarios against vehicles have not happened in the real world yet. However, the IT industry has gone through a similar history. In the beginning, computer viruses were created just for fun and for showing off. Nowadays, the damage caused by cybercrime costs trillions of dollars each year. At first, the IT industry had to deal only with some teenage geeks. Today, it needs to fight against many organized criminals and even state-sponsored hackers every day.
As we have learned from the experience of the IT industry, as long as the monetary incentive exists, sooner or later, criminals will exploit the security vulnerabilities to make bank. It usually costs more to fix a security issue after incidents happen. The best practice, therefore, is to take security into consideration at the very first step and prevent an attack scenario from becoming a real threat.