We are used to defining cars by their primary function: to get us from one place to another. Increasingly, however, the very nature of the car is changing, forcing automotive companies and industry suppliers to adapt. A new vehicle rolling off the assembly line today has more lines of code than a modern passenger jet. It includes complex infotainment, telematics, and infrastructure systems, all of which must work together in perfect harmony and synchronization to keep the driver connected, informed, and safe.
Today’s connected vehicles offer not simply transportation but also advanced, highly customized information services. They can tell us the weather, read our email, make phones calls, or help us find the fastest way around an upcoming traffic jam. As autonomous driving technologies take hold, they are also increasingly taking on many of the tasks traditionally performed by a human driver. To do all this, the modern vehicle requires constant connection to the cloud and access to some of our most sensitive personal data.
According to KPMG, “The average new car has over 150 million lines of code – more than an F-35 fighter or Boeing 787.”
And the 2021 Upstream Global Automotive Cybersecurity Report claims that connected vehicles will comprise nearly 86% of the global automotive market by 2025.
The trend towards cars becoming increasingly capable, connected, and data-intensive will only gain momentum in the future. This means that automakers must find a way to secure the embedded systems that control every aspect of the car, and determine the quality, privacy, and safety of the driver experience.
An Emerging Crisis in Automotive Cybersecurity
As a result of the rapid rise of the connected vehicle, the industry faces a crisis of data protection and cybersecurity. To keep their vehicles competitive in the marketplace, compliant with regulators, and safe for drivers and passengers, automakers need a fresh approach. They must prioritize and execute security strategies that protect their business, reputation, and customers.
The threat is real and growing. In a well-publicized exploit in 2015, security researchers took complete remote control of a Jeep Cherokee, including cutting off the engine. These days, the hacks are less likely to come from white-hat hackers (academics and researchers testing security systems) than black-hat attackers.
“In order to attack a car, a hacker needs a way into the car’s system, says Asaf Ashkenazi, President and COO of Verimatrix who was quoted in AutoEvolution. “Fifteen years ago, this mostly meant access to the car physical interfaces, such as the OBD interface. Today, there are more remote entry points, including wireless interfaces, which dramatically increase the car’s attack surface. This attack surface also includes peripheral devices such as Android and Apple smartphones.”
In just 2020, companies targeted with successful, public “takeover” exploits – in which the hacker was able to seize control of the vehicle – included Honda, Mercedes-Benz, Tesla, and others. In the same year, India alone saw 4,118 vehicles stolen using key fob simulators, an increasingly popular means of auto theft globally.
Asaf continues, “Most carmakers recognize that cybersecurity should be taken seriously. Unfortunately, this does not always translate to direct actions or actions in the right direction. Carmakers are not always aware of all the risks and do not necessarily address security vulnerabilities based on the risk level.”
According to Danny Le, Principal, KPMG, “With the ability for thieves to cyber attack many cars at once, ‘attack one, steal many’ is the best characterization of today’s grand theft auto threat.”
See how we help protect the automotive industry
In some ways, we are still at the earliest stage of the danger. The looming threat of large-scale hacks, in which large groups of vehicles or entire fleets are taken over, is a massive concern for auto companies, consumer safety groups, and governments. A terrorist or ransomware operator could conceivably start and weaponize an entire convoy or cars, for instance by disabling the battery control systems that keep explosive materials from overheating.
Remote Keyless Systems (RKS) – also known as Keyless Entry or Remote Central Looking – are also at risk in most modern connected vehicle. RKS operates by sending a code transmitted via a short-range radio from the key to the car. Upon receiving the code, the car knows it is authorized to unlock the doors or start the engine.
With a physical RKS, a common threat is a replay attack.
A replay attack is when the attacker listens to the radio transmission, capturing the data sent by the key to the car. They can then unlock the vehicle by “replaying” the same code they captured.
Vulnerable in-vehicle infotainment (IVI) systems also leave auto manufacturers open to attack; data breaches, compliance fines and costly recalls are possible. Forward-thinking companies servicing the automative supply chain reduce risks and vulnerabilities with layered protection that makes their applications, APIS and devices self-defending — safeguarding their code from harm.
Most Common Attack Vectors in Automobiles
- Servers
- Mobile apps
- APIs
- Keyless entry/Key fob
- OBO port
- Infotainment
- IT network
- Sensors
- In-vehicle network
- WI-FI
Rethinking Security for Today's Modern Vehicle
The sheer range, variety, and complexity of the systems involved in today’s connected vehicles demand a fundamentally new approach to security. Security cannot be an afterthought; it must be engineered in from the beginning of the design stage. It must also be holistic and adaptable in nature, capable of addressing a broad range of threats and capable of responding to changing requirements. It must be simple and intuitive – both for the developers who need to embed it into the control software, as well as for the end customers who will interact with the vehicle. Finally, it must be resilient over time, providing “future-proof” protection that will endure for the life of the vehicle.
The priority for automakers and suppliers must be on identifying and securing all possible point of vulnerability with smart, flexible, resilient security. They must also recognize that the car is several things at once: a vehicle, a platform for connected entertainment, an information device, and a hub for massive amounts of data, both incoming and outgoing. Every aspect must be protected, including the sensitive and high-value data that flows back and forth to the cloud.
Even seemingly less critical interfaces demand protection. For example, an exploit targeting on-board infotainment apps may seem less obviously dangerous than one attacking a telematics system, until you consider that many automakers have now allowed apps to control or support the driving experience. Suddenly, that app-level exploit can turn into a back door that compromises driver security and safety. Even systems like Wi-Fi or Bluetooth can become targets for attackers.
Safety is Security in Connected Cars
Verimatrix offers robust, automated, and intelligent security solutions to keep connected cars safe. Our solutions for the connected car include:
- Protecting keyless entry systems
- Safeguarding in-vehicle infotainment systems
- Shielding mobile apps for automakers & suppliers
- Preventing endpoint attacks with extended threat defense
Verimatrix provides proven SaaS security solutions to protect the technology that drives connected cars. Leading automatrive brands trust Verimatrix to safeguard their data, their code, the content, and their customers. Contact your friendly Verimatrix threat defense consultant for a free automotive security assessment.
3 Security Imperatives for Vehicle App Manufacturers in 2024