You’re on your way to work in your shiny new Tesla, savouring your morning coffee when suddenly your entertainment system starts blasting music at full volume and your headlights begin to flash. You turn the radio off, but it starts again as if it has a will of its own. You slow down to get out, and unlock the doors, but they just lock again.
Science fiction? Think again.
In January 2022, 25 Tesla’s were hacked simultaneously by a 19-year-old IT specialist, who exploited a vulnerability in a third-party app that some Tesla owners use. This exploit enabled the hacker to carry out all the above pranks from the third-party server, as well as tracking the vehicles’ locations which were around the globe.
But this hack is only the tip of the iceberg. If it’s possible to compromise two dozen vehicles through a third-party app, just imagine the consequences of a cyber criminal gaining remote control over an entire vehicle fleet and demanding a huge ransom payment to unlock the vehicles. As ransomware attacks continue to rage (300 million in 2021), such a scenario is becoming ever more likely.
The fact that Tesla was hacked should not be taken lightly. This trailblazing company represents the future of the mobility market and symbolises the ‘state-of-the-art’ when it comes to automotive technology. Any development related to Tesla, particularly a cyber attack, has a dramatic impact on ‘traditional’ automakers also looking to upgrade their technologies.
Connectivity + software = risk
So how did our precious cars become the target of cyber attacks?
Over the past decade, the mobility market has undergone a massive digital transformation. Today virtually all vehicles come with built-in connectivity options for receiving and transmitting information. However, the benefits of software-driven, connected vehicles don’t come without a cost. Think about what happened in the computer world 30 years ago. As soon as computers became connected via a network, they also became vulnerable to new types of threats (today every company protects its network). The same is true for today’s mobility market.
The current megatrends in the automotive industry—from autonomous vehicles to cloud-based functionality and shared mobility—expose vehicles to greater cyber risk. Automotive is already the world’s 8th most targeted sector by cyber attackers and connected vehicles could become yet another attack vector for infiltrating manufacturers’ IT systems and facilities.
To support new electric and autonomous vehicle technologies, the automotive industry is investing massive resources in software development. Car manufacturers want full control over these software components, which adds to the complexity of protecting the vehicle from an expanding and sophisticated attack surface. Moreover, integration into current business architecture, bigger attack surfaces, and the sheer volume of data (25 GB of data/hour/vehicle) are expected to further increase cyber risk in the coming years.
The future of automotive will be based on a technology-centric and software-focused approach, with new features and feature upgrades being delivered via software updates. The ability to provide ongoing enhancements, including cyber security updates, once the vehicle has left the factory will become a key competitive requirement for automakers moving forward.
Functional safety and cyber security go hand-in-hand
The automotive industry has always put safety first—seat belts, airbags, radar to prevent accidents, etc. However, as vehicles become more connected, autonomous, and software-driven, safety and security are becoming interdependent. In other words, for a system to be functionally safe, it must also be secure.
Unlike IT security, which focuses on protecting networks and data, automotive cyber security directly impacts driver and passenger safety. Vulnerabilities in vehicle software, regardless of their source (supply chain, over-the-air update), could lead to cyber attacks that compromise a vehicle’s braking or airbag systems with potentially life-threatening results.
Cyber security for a changing world
Today’s vehicles are not sufficiently protected against cyber attacks. The industry is very dynamic—new software-based features and apps are being developed all the time, along with new interfaces such as charging stations, which opens the door to new and sophisticated attack vectors.
To ensure vehicle safety and to comply with new security regulations for the automotive industry, such as UNR 155 and GB/T, car manufacturers and Tier 1 suppliers are investing in advanced cyber security solutions to defend against sophisticated cyber threats.
As a first step, automakers and their cyber security partners should identify and specify requirements for in-vehicle security controls, based on a thorough threat analysis of the overall end-to-end vehicle architecture. The in-vehicle controls (e.g., network monitoring) should be supported by backend technologies (e.g., Vehicle Security Operation Center) for monitoring and responding to any security incidents. Some of the most common capabilities being introduced today by car manufacturers include network traffic monitoring and filtering (such as CAN or Ethernet Intrusion Detection System), hardening and monitoring of applications, and stricter segregation and separation of functionality.
More advanced technologies and tools that should be considered include vehicle-level anomaly detection and reporting, repetitive vulnerability scanning of vehicle software, backend analytics, and secure software update mechanisms.
New business opportunities
In many ways, cars have become an extension of the home and office. People spend hours commuting every day, managing their private lives from their cars via smartphones. Like the way we sacrifice our privacy when using smartphones, today’s connected vehicles know our location and can listen and gather information on what we’re doing, and have access to our most private data, not to mention the cameras, sensors, and microphones which are deployed in the car.
As these security and privacy risks grow, we’re not far from the day when consumers are going to care as much about a car’s cyber security features as they do about battery size, operating range, and charging time. And this could lead to new opportunities for car manufacturers to monetise cyber security—from the installation of tens of millions of built-in intrusion detection agents in their vehicles to value-added data services based on real-time analyses of the driver and vehicle-generated data.
Looking ahead, automotive cyber security needs to extend beyond vehicles to encompass the entire mobility ecosystem. As technologies continue to improve, new cyber security solutions and services will be required for charging stations, anti-theft solutions, securing connectivity, and protecting data between the vehicle, the cloud, smart city elements, and other interfaces.
Sometimes, technology is a double-edged sword. Just ask any teenage hacker.
About the author: Ronen Smoly is Chief Executive of Argus Cyber Security