In 2023, the automotive industry firmly set out on the road of innovation, even as it proved rife with cybersecurity challenges. This was reflected on the regulations that continued to drive the way forward for automotive cybersecurity.
In our report “VicOne Automotive Cyberthreat Landscape Report 2023,” which is the main component of the overarching VicOne Automotive Cybersecurity Report 2023, we provide an in-depth review of the past year from a cybersecurity standpoint. Our report highlights pressing security gaps and potential areas of concern that will help map the terrain for the coming year.
In this article, we summarize some of our major findings and key takeaways.
Being able to produce vehicles is what pushes automotive manufacturers (OEMs) and suppliers to implement standards and regulations. But since standards and regulations are difficult to implement for a combination of reasons, they opt for workarounds such as penetration testing and vulnerability management.
Another vital aspect of current standards and regulations, specifically ISO/SAE 21434 and UN Regulation No. 155 (UN R155), is the need to maintain life cycle monitoring, defined by the threat analysis and risk assessment (TARA) process. The TARA process, aided by penetration testing and vulnerability management, uncovers potential flaws and vulnerabilities throughout a vehicle’s life cycle.
Figure 1. Mapping out potential problems using penetration testing, TARA, vulnerability management (implied by bill of materials or BOM), and threat intelligence
However, while these processes and tools are already routinely practiced in the IT industry, this is not the case in the automotive industry. In addition, an unfiltered implementation of these processes and tools fails to account for the more specialized demands of vehicles, particularly on road safety.
We summarize below the challenges faced by many organizations in implementing penetration testing and risk/vulnerability management.
- Evaluation metrics are designed for IT sectors.
- Testing reports are often riddled with inconsequential findings, thus offering little aid in improving vehicle road safety or ISO compliance processes.
- Hastily launched related services in vulnerability management create more challenges for OEMs, such as false positives and irrelevant exhaustive vulnerability lists.
- The vast array of components and dependencies in modern vehicles makes it difficult to track potential risks across both software and hardware.
- The lack of unified standards makes it challenging to conduct incident response.
Likewise, organizations also face issues in conducting the TARA process.
- The TARA process described in ISO/SAE 21434 is vague with indeterminate requirements.
- Most offered solutions are merely tools that report, compile, or paraphrase ISO/SAE 21434 text.
- R&D and security departments in the automotive industry are ill-equipped to pinpoint potential failure scenarios for vehicles.
Automotive threat intelligence can help bridge the skill gaps and challenges presented by these processes and tools. Through a strong background of automotive threat intelligence, these processes can be interpreted to best suit the needs of the automotive ecosystem.
The threat landscape at a glance
Already, we observe that the current threat landscape exemplifies just why regulations push for security by design. Overall, a closer examination of the threat landscape reveals that cyberthreats and vulnerabilities in the automotive industry are on the rise.
Figure 2. The distribution of security incident case categories from the second half of 2022 to the first half of 2023
Our findings showed the continued prominence of cyberattacks in reported security incidents. Aside from cyberattacks, the top reported incidents involved immobilizers and the cloud through API-related incidents.
A vulnerable supply chain
Our closer examination of cyberattack incidents from the second half of 2022 to the first half of 2023 showed that a significant number of reported cyberattacks had their origins in entities in the automotive supply chain other than OEMs, including providers of services and diagnostics, and suppliers of automotive components.
Figure 3. The distribution of cyberattack case categories from the second half of 2022 to the first half of 2023
Alarmingly, about 90% of reported cyberattacks were aimed not at OEMs directly but rather at their suppliers. This is indicative of a common tactic by cybercriminals, who have been known to target less vigilant or protected firms.
Notable case studies
Case studies from notable incidents and discoveries brought to light flaws and underlying issues in modern vehicles:
- Zenbleed: Vehicles that employ AMD Zen CPUs as their core processors are vulnerable to Zenbleed, a vulnerability in AMD’s Zen 2 microarchitecture that could lead to the leakage of sensitive data at a remarkably fast rate of 30 kbps per core.
- CAN bus injection: Uncovered by Ian Tabor and Ken Tindell, this is an attack method that makes it easier for potential attackers to steal a vehicle and has often been used by criminals this year. Taking advantage of this method are hardware-based thief kits that are already being sold in gray markets online.
- Automotive cloud service compromise: Sam Curry and his team demonstrated how they were able to access the back-end cloud infrastructure of different OEMs by exploiting vulnerabilities in their telematics systems and APIs.
These case studies show the growing reality of cyberthreats to vehicles. The more the automotive ecosystem is enhanced with new technologies, the more its attack surface expands. These incidents also underscore the importance of validation at every level, from individual components to integrated systems, echoing the vision of regulations.
A secure equilibrium
As vendors venture more deeply into software-defined vehicles (SDVs), OEMs must be prepared for the radical changes in the automotive ecosystem. This advancement necessitates enhanced security measures that also take into account vehicle safety. The introduction of new features often simultaneously broadens a vehicle’s potential attack surface.
Here are our recommendations based on observations in our report:
- OEMs and suppliers opt for workarounds to standards and regulations, as these can be tremendously difficult to implement for some. In such cases, automotive threat intelligence and expertise should be consulted in implementing these workarounds, to best suit the needs of the automotive ecosystem.
- Cloud-related incidents were among the top reported ones in the automotive industry. One of the notable cases in 2023 also demonstrates the gravity of cloud-related security gaps. This issue highlights the importance of ensuring strict employment of known API best practices in the automotive industry.
- Hardware-based thief kits that exploit CAN bus security flaws are readily available in gray markets. The permanent solution to CAN-related issues is to adopt a zero-trust approach where further validation must be implemented regarding CAN messages.
- The advancement toward SDVs poses greater risks along with greater opportunities. While SDVs bear promise, the intertwining of safety, cybersecurity, and data privacy in their associated applications warrants a comprehensive and vigilant approach to ensure the safe and ethical deployment of these technologies.
For the automotive industry especially, further innovation should be tempered with a strong security stance. Ensuring robust security that bolsters growth rather than hinders it is the crux of automotive cybersecurity.
To learn more about our insights and get an in-depth look at our findings, read “VicOne Automotive Cyberthreat Landscape Report 2023.” As previously mentioned, this is part of the VicOne Automotive Cybersecurity Report 2023.