The double-edged sword of connected cars and cybersecurity

15 March 2023

cars

Connected technology can unlock new in-vehicle capabilities, such as over-the-air (OTA) updates and features on demand (FOD), as well as wider industry benefits. But these advances are accompanied by increasing cybersecurity threats. Autovista24 deputy editor Tom Geggus discusses this double-edged sword with Shira Sarid-Hausirer, vice president of marketing for Upstream Security.

Subscribe to the Autovista24 podcast and listen to previous episodes on Apple, Spotify, Google Podcasts and Amazon Music.

Show notes

Upstream Security’s 2023 global automotive cybersecurity report

What is an automotive OTA update?

What is FOD?

Decoding the risks and rewards of software-defined vehicles

What can the automotive industry learn from historic cybersecurity issues?

Synopsis

In its fifth annual report, Upstream, a provider of data-management and cybersecurity solutions, analysed the cybersecurity risks facing the automotive industry. Its team of researchers investigated 1,173 incidents dating back to 2010, while also monitoring hundreds of deep and dark web forums.

While advancing vehicle technology enables connected features, these developments also create new attack opportunities. Cybersecurity threats against the automotive industry are growing rapidly, putting the likes of carmakers, fleet operators and insurers at risk.

Broadly, smart mobility ecosystems are attracting a growing number of stakeholders. There is a notable interest in subscription services, mobility-as-a-service (MaaS) and third-party mobile applications. However, all these opportunities will require risk management to protect personal safety, sensitive data, and confidence in the systems themselves.

‘As with any other connectivity and pieces of software, it is very often a double-edged sword. With this connectivity there are new attack vectors that begin to emerge,’ said Sarid-Hausirer. ‘The automotive and smart mobility ecosystem is only in the last few years becoming more aware of the threats that are associated with these fantastic opportunities that open up to all the different stakeholders.’

New attack vectors

One emerging attack vector is electric-vehicle (EV) infrastructure. While fundamental to the success of EVs, charging points accounted for 4% of total incidents last year. Sarid-Hausirer highlighted numerous examples of infrastructure attacks. One sought to make a geo-political statement, while other incidents had more disruptive motivations.

Elsewhere, application programming interfaces (APIs) enable communication between different pieces of software. While creating potential revenue streams for businesses across the automotive sector, these intermediaries can also introduce vulnerabilities. Upstream found that in 2022, the number of API attacks increased by 380% year on year, making up 12% of total incidents.

Attacks against connected automotive systems like these can be carried out by a range of different individuals or groups, often referred to as ‘hats’. While white hats look to help plug cybersecurity gaps, black hats might work to exploit vulnerabilities. Grey hats can exist between the two former categories. There are also owner hackers, who look to unlock features within their own vehicles.

Car companies have implemented various regulations and standards such as WP.29 R155 and ISO/SAE 21434. However, Upstream highlights that both simply emphasise the need for a high standard of cybersecurity analysis, without outlining specific solutions and processes. In the immediate term, automotive companies must try to wield the double-edged sword of connectivity and cybersecurity.