The auto industry took its first step into the digital age back in 1967, when the Volkswagen Typ 3 was released in Germany with the D-Jetronic electronic injection system from Bosch. Today, computer systems control almost all functions of most cars - from engine operating modes to windshield wipers.
As always, technological progress has its downside: the greater the role of software in the operation of technology, the more serious the threats to information security. The risks have become higher with the advent of so-called connected cars. It has gotten to the point where hackers can remotely take control of a car in reality: this is no longer just the fantasy of the Fast and the Furious writers.
In this article we will look at the main types of automotive cyber attacks and the risks associated with them. We will also talk about how the world and Russia are trying to combat such threats and what results this brings.
Additional ECU for Mercedes-Benz cars, with which the engine is tuned
For comparison: Boeing 787 software includes a total of 10 - 15 million lines of code, Lockheed Martin's F-35 stealth fighter - 25 million, and a typical PC operating system - about 40 million. The space shuttle carried people into space and returned them to Earth using only 400 thousand lines of code. At the same time, automotive firmware continues to swell: according to forecasts, by 2030 their volume will increase to 300 million lines.
This is a dubious record from an information security point of view. In the automotive industry, there are about 1,000 bugs for every million lines of code. About 5% of them generate dangerous vulnerabilities. And this is still considered a good indicator. It turns out that the software of a modern car can contain more than 5 thousand errors that hackers can use destructively. Since the average lifespan of a car is 20-25 years, many of these dangerous bugs will pop up sooner or later, and at the most inconvenient moment.
How do they respond to threats in the auto industry? Every year, tens of millions of vehicles are recalled from service in the United States alone . We are talking only about those cases where defects threaten the safety of people and the environment: manufacturers are not required to report such “little things” as possible breakdowns or a reduction in the service life of the car. In Europe in 2023, 283 recalls of 249 car models were recorded due to various defects. These include purely mechanical flaws and software problems that reduce the level of cybersecurity.
The situation is aggravated by the fact that hacker attacks on modern cars do not necessarily require physical access. Almost all new cars have at least one modem installed, which is necessary for the operation of various additional functions: remote heating, diagnostics of failures, etc. Such devices may well become an entry point for attackers.
In some regions, connecting a car to the Internet is completely mandatory, for example in the eCall system of the European Union. According to rough estimates, by 2030 there will be more than 900 million connected cars on the roads. Machines are increasingly integrated into digital ecosystems, increasing the attack surface.
This attack opened a “Pandora’s box”: vulnerabilities began to be found in car Wi-F modules, Bluetooth and NFC, and various telematics systems. An overview of such research was made in his presentation by one of Bosch engineers Martin Schmiedecker. There have been many successful attacks to date, but most are the work of ethical hackers. But how big is the underwater part of the iceberg?
The Internet is full of videos in which Mercedes, Tesla and Jeep are stolen in 60 seconds or even faster. This suggests the presence of a large number of real incidents. Authorities, media and automakers have not disclosed the number of cars hacked, and the scale of the problem is unknown. Anyway, in early 2023, Hyundai and Kia released a software update for more than 8 million vehicles in the United States. This was to prevent an increase in thefts due to instructions on TikTok that explain how to start certain 2010-2021 models.
What exactly are the attack vectors that threaten the information security of cars? They can be divided into three main groups. Let's look at each in more detail.
Often, various restrictions related to the size of components, wiring layout, and physical security requirements for devices prevent the implementation of such a scheme without flaws. As a result, hackers can get close to the car and tap into the data buses connecting the controllers and sensors.
The first to sound the alarm on this issue was Ian Tabor, a cybersecurity researcher and automotive consultant for EDAG. For several days, the attackers prepared to steal his Toyota RAV4, until they finally stole it using a JBL Bluetooth speaker connected to the system bus through the headlight wiring. And in April 2023 , it became known that cars are being stolen in the United States using the same “indestructible” NOKIA 3310 phone that is used to interact with the control system.
The insides of a Bluetooth speaker modified for CAN injection
Often, burglars make a hole near the wheel, gain access to the CAN bus (Controller Area Network) and, if the system is poorly protected, reprogram the ECU to unlock and start the car. The researchers called this attack CAN Injection. For example, this method of theft works with Maserati, Land Cruiser and Lexus cars.
Headlights, lidars and radars have proven to be the most vulnerable to hackers, as manufacturers often connect them directly to internal data buses. Cars of many brands have such “Achilles' heels” due to similar wiring layouts.
Design errors combined with vulnerable architecture compound the risks. In the diagram below, you can see radars and cameras in one of the car’s tires. It would seem that there is no problem here, because these tires are isolated from others. It's just that the electronic braking system (EBS) is located in the same area, requiring access to the brake control unit (ECU).
This gives hackers carte blanche to attack. Having gained unauthorized access to the braking system via radar, an attacker could potentially send an ECU Reset command to the EBS. Thus, he will be able to urgently stop the car, which will most likely lead to an accident.
Of course, in reality everything is not so simple. Access to the ECU is usually protected by an authentication procedure, Security Access. In this case, the client - tester or programmer - sends a seed request to the ECU block. It generates a random value (seed) and calculates the desired key using an algorithm and a secret key. It then sends the seed back to the client. The client must calculate the key in exactly the same way. The ECU compares the results and only grants access if they match.
However, the requirements for implementing Security Access in cars are unclear, and this creates vulnerabilities. Here are the most common ones:
These are the vulnerabilities that hijackers from Nokia and music speakers use.
The most common are so-called relay attacks on cars with keyless entry systems. Hacking a car this way is quite simple. Everything can be accomplished in less than a minute, and legally purchased repeaters can be used as tools .
True, for such a trick you will need two attackers. One should keep their repeater near the car, and the other should approach the paired device as close to the key fob as possible. The car and the key fob emit a low-frequency signal. Once within range of each other, they exchange a series of messages and "requests" for authentication. Only after it will Sim-Sim open and the car will be unlocked.
The repeater receiver detects low-frequency signals from the key fob, converts them to a high frequency (for example, 2.4 GHz), and then transmits them over a distance to another device. There, everything is converted back to a low frequency and sent to the car, which “believes” that the key fob is nearby. Although in fact it can easily lie on a shelf in the driver’s private house. All the car thieves have to do is open the car door and start the engine. As researchers from Beijing have shown, even the latest ultra-wideband keyless entry system of the latest Tesla models is susceptible to this attack technique.
By the way, the key fob is not the only wireless interface in modern cars. An entry point for attackers could be, for example, the charging infrastructure for electric vehicles. Hackers are exploring the Open Charge Point Protocol (OCPP), which establishes communication between a charging point and the backend system of its operator (CPO) or mobile service provider (MSP). The protocol is used to carry out distributed denial of service (DDoS) attacks.
Other possible loopholes for hackers include 4G connections, Wi-Fi, Bluetooth and other radio signals, including RFID, such as those that enable tire pressure monitoring systems.
In turn, researcher Thomas Sermpinis gave a report on a real-life hacking scenario for supercars from a well-known manufacturer. These cars had built-in network connectivity for personalized customer support and a dedicated ECU for cellular and internet connectivity. Telematics units were connected to the head unit using some kind of interface (it could be RS-485, serial interface, BroadR-Reach or something else). The image below roughly represents the architecture being described. Obviously, its weakness is that a lot of components are directly connected to the head unit.
Since ECUs have many publicly accessible services (SSH and others), they must be isolated using hypervisors in the head unit or in some other way. A gateway should also be provided to filter requests that come from the telematics unit.
Here, several ECUs are directly connected to the gateway and the head unit. If compromised, the attacker would have direct access to the Battery Management System (BMS), the inverter, and the full set of batteries. This means that nothing will prevent a hacker from performing an ECU Reset of the BMS unit or a combined reset of all batteries, as if cutting them off from the car. And then - stop the car!
The researcher was able to successfully implement such an attack. As an additional proof-of-concept, Sermpinis gives an example with a blind spot recognition sensor. When sending the ECUReset command, the sensor was blinking due to a complete off-on cycle. This is not as dangerous as resetting the batteries, but the process is confusing for the driver. It may think there are objects in the blind spot and perform unnecessary maneuvers. Some problems may also arise with adaptive cruise control when using the system to change lanes.
So in 2022, a researcher under the nickname @ specters found a way to remotely control all Nissan and Infiniti cars connected to the Internet using only Burpsuite. After examining the authorization mechanism in the Nissan application, he discovered the “accountSource” field with the value “customer”.
Nissan Mobile App Registration Request
The researcher just replaced it with “dealer” and - “bingo!” — received administrative access and the ability to send commands to any connected car. He was able to lock and unlock doors, start and stop the engine, and track the location of the car. It is not known what conclusions the company made. However, Nissan recently confirmed that the call center it set up to handle customer inquiries after another data breach was also hacked.
In January 2022, another ethical hacker, David Colombo, hacked more than two dozen Tesla electric vehicles in 13 countries. The researcher examined the source code of the TeslaMate application and found in it guest access to Grafana dashboards, as well as an unencrypted API key. With its help, you can open doors and windows, start keyless driving, and change air conditioning settings.
Finally, Sam Curry describes a whole host of privilege escalation attacks on CMS and administrative panels of Kia, Honda, Acura, Hyundai, Genesis, Ferrari, Spireon. Authorization bypass, SQL injection, and regular expression vulnerabilities in Spireon systems allowed Kerry to completely take over a multi-fleet management system and send arbitrary commands to 15 million vehicle telematics systems.
Some analysts do not exclude the possibility of attacks on cars using the model of encryption viruses. It is unlikely that attackers will demand payment for unlocking cars from individual car owners, but by paralyzing a fleet of one brand, they can extort money from an entire company.
One way or another, for now all this remains at the level of concern. But thefts and major leaks of personal data due to vulnerabilities in automotive systems have already become an objective reality. For example, in 2021, the data of 3.3 million American Volkswagen and Audi owners was put up for sale on a hacker forum. And the location information of more than 2 million Japanese Toyota owners remained publicly available until May 2023 due to an incorrect configuration of the company's cloud storage.
A recent Mozilla study called modern cars a “privacy nightmare”: about 84% of automakers transfer or sell their customer data to third parties.
They will come into force in July this year and will oblige manufacturers to provide protection for every new car throughout its entire life cycle. It is planned to introduce a certification system based on the “zero trust” concept. That is, suppliers of software, applications, services and other industry representatives will receive certificates for access to automotive systems.
First page of UN Regulation No. 155
According to the plan, safety will become the cornerstone of the automotive industry. Component manufacturers will begin to adhere to coding guidelines for structured programming (Misra C/C++ , AUTOSAR or, for example, CERT C), and automakers will have to develop incident response plans. To protect connected cars from cyber attacks, they are integrated with a cyber security management system (CSMS).
According to some forecasts, thanks to such measures, the global automotive cybersecurity market will grow to $22.2 billion by 2032. The annual growth of this important area will be about 22%.
We can only hope that the above-mentioned UN regulations will help automakers build work processes in the field of cybersecurity - these are the goals pursued by both managements. True, they are formulated in general terms and leave room for interpretation.
The requirements of R155 apply only to new car models released after July 1, 2022. Tens of millions of older cars are not subject to the standard. Manufacturers are not required to ensure their cybersecurity and are likely to discontinue support and stop releasing updates after a few years, as happens with smartphones. Therefore, car break-ins are likely to remain commonplace.
Unfortunately, there is little hope for politicians and lawyers in solving the problems described. For starters, how can authorities assess when extreme measures—a car recall—are justified?
Some hacks are not technically related to road safety (for example, rolling down windows), but in fact can lead to theft or distract the driver's attention. Experience has shown that even when a country places equal emphasis on safety and scalability (two variables that should determine response), one company's products are sometimes recalled within 48 hours, while another's are recalled five years later.
Another important question is how many vehicles undergo a full threat analysis with a third party auditor? It is not a fact that every manufacturer has such information on their own products, not to mention the regulatory body and statistics for the entire country or region. Yes, some brands require suppliers to undergo a cybersecurity assessment before delivery, but this is not always observed.
Thus, according to automobile safety specialist Alexei Kurchanov, cars from the Middle Kingdom have low security.
It is not much more difficult, according to Kurchanov, to disable the telematic factory security system. And the standard immobilizer can be easily bypassed by programming a new key by changing the PIN codes within a minute. Access codes for many Chinese cars are openly posted on the Internet - reprogram and go.
All this is a purely everyday side of the issue. Speaking of platforms, many European experts are concerned about cybersecurity risks due to the growing sales of Chinese machines and components. And the US Department of Commerce has launched an investigation into potential security threats to “connected vehicles” containing components from China.
As far as I know, no one in Russia is seriously asking such questions yet. The reality is that the state and car owners are simply obliged to demand that manufacturers implement effective cybersecurity measures at all levels. Automotive companies need to secure their entire chain: from the attack surfaces of the car itself to the corporate infrastructure. It is also important for them to continuously monitor suppliers. They have a lot of work ahead of them.
Implementation of advanced infrastructure protection techniques. Protecting modern cars is more than worrying about the information security of specific cars. This is a complex task that extends to all corporate assets.
As always, technological progress has its downside: the greater the role of software in the operation of technology, the more serious the threats to information security. The risks have become higher with the advent of so-called connected cars. It has gotten to the point where hackers can remotely take control of a car in reality: this is no longer just the fantasy of the Fast and the Furious writers.
In this article we will look at the main types of automotive cyber attacks and the risks associated with them. We will also talk about how the world and Russia are trying to combat such threats and what results this brings.
Millions of lines and thousands of errors
Various electronic control units (ECUs) or, in other words, Electronic control units, are responsible for the operation of vehicle systems. In one car there are up to one and a half hundred of them, and this, for a minute, is about 100-150 million lines of code.
Additional ECU for Mercedes-Benz cars, with which the engine is tuned
For comparison: Boeing 787 software includes a total of 10 - 15 million lines of code, Lockheed Martin's F-35 stealth fighter - 25 million, and a typical PC operating system - about 40 million. The space shuttle carried people into space and returned them to Earth using only 400 thousand lines of code. At the same time, automotive firmware continues to swell: according to forecasts, by 2030 their volume will increase to 300 million lines.
This is a dubious record from an information security point of view. In the automotive industry, there are about 1,000 bugs for every million lines of code. About 5% of them generate dangerous vulnerabilities. And this is still considered a good indicator. It turns out that the software of a modern car can contain more than 5 thousand errors that hackers can use destructively. Since the average lifespan of a car is 20-25 years, many of these dangerous bugs will pop up sooner or later, and at the most inconvenient moment.
How do they respond to threats in the auto industry? Every year, tens of millions of vehicles are recalled from service in the United States alone . We are talking only about those cases where defects threaten the safety of people and the environment: manufacturers are not required to report such “little things” as possible breakdowns or a reduction in the service life of the car. In Europe in 2023, 283 recalls of 249 car models were recorded due to various defects. These include purely mechanical flaws and software problems that reduce the level of cybersecurity.
The situation is aggravated by the fact that hacker attacks on modern cars do not necessarily require physical access. Almost all new cars have at least one modem installed, which is necessary for the operation of various additional functions: remote heating, diagnostics of failures, etc. Such devices may well become an entry point for attackers.
In some regions, connecting a car to the Internet is completely mandatory, for example in the eCall system of the European Union. According to rough estimates, by 2030 there will be more than 900 million connected cars on the roads. Machines are increasingly integrated into digital ecosystems, increasing the attack surface.
There is a problem, the scale is unclear
Automotive information security really came into focus in 2015 after the spectacular hack of a Jeep Cherokee. Researchers remotely disabled the SUV while it was driving by exploiting a vulnerability in its infotainment system. Again, why don’t you like “Fast and the Furious” in reality?This attack opened a “Pandora’s box”: vulnerabilities began to be found in car Wi-F modules, Bluetooth and NFC, and various telematics systems. An overview of such research was made in his presentation by one of Bosch engineers Martin Schmiedecker. There have been many successful attacks to date, but most are the work of ethical hackers. But how big is the underwater part of the iceberg?
The Internet is full of videos in which Mercedes, Tesla and Jeep are stolen in 60 seconds or even faster. This suggests the presence of a large number of real incidents. Authorities, media and automakers have not disclosed the number of cars hacked, and the scale of the problem is unknown. Anyway, in early 2023, Hyundai and Kia released a software update for more than 8 million vehicles in the United States. This was to prevent an increase in thefts due to instructions on TikTok that explain how to start certain 2010-2021 models.
What exactly are the attack vectors that threaten the information security of cars? They can be divided into three main groups. Let's look at each in more detail.
Physical access attacks
In modern cars, data from many sensors and diagnostic systems is transmitted through a common communication bus. Special protocols allow all modules to interact through a single access point - an electronic control unit (ECU).Often, various restrictions related to the size of components, wiring layout, and physical security requirements for devices prevent the implementation of such a scheme without flaws. As a result, hackers can get close to the car and tap into the data buses connecting the controllers and sensors.
The first to sound the alarm on this issue was Ian Tabor, a cybersecurity researcher and automotive consultant for EDAG. For several days, the attackers prepared to steal his Toyota RAV4, until they finally stole it using a JBL Bluetooth speaker connected to the system bus through the headlight wiring. And in April 2023 , it became known that cars are being stolen in the United States using the same “indestructible” NOKIA 3310 phone that is used to interact with the control system.
The insides of a Bluetooth speaker modified for CAN injection
Often, burglars make a hole near the wheel, gain access to the CAN bus (Controller Area Network) and, if the system is poorly protected, reprogram the ECU to unlock and start the car. The researchers called this attack CAN Injection. For example, this method of theft works with Maserati, Land Cruiser and Lexus cars.
Headlights, lidars and radars have proven to be the most vulnerable to hackers, as manufacturers often connect them directly to internal data buses. Cars of many brands have such “Achilles' heels” due to similar wiring layouts.
Design errors combined with vulnerable architecture compound the risks. In the diagram below, you can see radars and cameras in one of the car’s tires. It would seem that there is no problem here, because these tires are isolated from others. It's just that the electronic braking system (EBS) is located in the same area, requiring access to the brake control unit (ECU).
This gives hackers carte blanche to attack. Having gained unauthorized access to the braking system via radar, an attacker could potentially send an ECU Reset command to the EBS. Thus, he will be able to urgently stop the car, which will most likely lead to an accident.
Of course, in reality everything is not so simple. Access to the ECU is usually protected by an authentication procedure, Security Access. In this case, the client - tester or programmer - sends a seed request to the ECU block. It generates a random value (seed) and calculates the desired key using an algorithm and a secret key. It then sends the seed back to the client. The client must calculate the key in exactly the same way. The ECU compares the results and only grants access if they match.
However, the requirements for implementing Security Access in cars are unclear, and this creates vulnerabilities. Here are the most common ones:
- failed authentication algorithms with errors;
- using weak sources of random data to generate keys: for example, the system clock, as was shown in the UDS fuzzing and the path to game over report at the TROOPERS conference;
- backdoors - additional subservices with extremely weak protection;
- unprotected bootloaders.
These are the vulnerabilities that hijackers from Nokia and music speakers use.
Attacks via telematics
Most modern cars are equipped with telematics systems. They allow the driver, for example, to remotely unlock the doors or turn on the air conditioning. At the same time, telematics allows you to hack a car while being at a short distance from it.The most common are so-called relay attacks on cars with keyless entry systems. Hacking a car this way is quite simple. Everything can be accomplished in less than a minute, and legally purchased repeaters can be used as tools .
True, for such a trick you will need two attackers. One should keep their repeater near the car, and the other should approach the paired device as close to the key fob as possible. The car and the key fob emit a low-frequency signal. Once within range of each other, they exchange a series of messages and "requests" for authentication. Only after it will Sim-Sim open and the car will be unlocked.
The repeater receiver detects low-frequency signals from the key fob, converts them to a high frequency (for example, 2.4 GHz), and then transmits them over a distance to another device. There, everything is converted back to a low frequency and sent to the car, which “believes” that the key fob is nearby. Although in fact it can easily lie on a shelf in the driver’s private house. All the car thieves have to do is open the car door and start the engine. As researchers from Beijing have shown, even the latest ultra-wideband keyless entry system of the latest Tesla models is susceptible to this attack technique.
By the way, the key fob is not the only wireless interface in modern cars. An entry point for attackers could be, for example, the charging infrastructure for electric vehicles. Hackers are exploring the Open Charge Point Protocol (OCPP), which establishes communication between a charging point and the backend system of its operator (CPO) or mobile service provider (MSP). The protocol is used to carry out distributed denial of service (DDoS) attacks.
Other possible loopholes for hackers include 4G connections, Wi-Fi, Bluetooth and other radio signals, including RFID, such as those that enable tire pressure monitoring systems.
In turn, researcher Thomas Sermpinis gave a report on a real-life hacking scenario for supercars from a well-known manufacturer. These cars had built-in network connectivity for personalized customer support and a dedicated ECU for cellular and internet connectivity. Telematics units were connected to the head unit using some kind of interface (it could be RS-485, serial interface, BroadR-Reach or something else). The image below roughly represents the architecture being described. Obviously, its weakness is that a lot of components are directly connected to the head unit.
Since ECUs have many publicly accessible services (SSH and others), they must be isolated using hypervisors in the head unit or in some other way. A gateway should also be provided to filter requests that come from the telematics unit.
Here, several ECUs are directly connected to the gateway and the head unit. If compromised, the attacker would have direct access to the Battery Management System (BMS), the inverter, and the full set of batteries. This means that nothing will prevent a hacker from performing an ECU Reset of the BMS unit or a combined reset of all batteries, as if cutting them off from the car. And then - stop the car!
The researcher was able to successfully implement such an attack. As an additional proof-of-concept, Sermpinis gives an example with a blind spot recognition sensor. When sending the ECUReset command, the sensor was blinking due to a complete off-on cycle. This is not as dangerous as resetting the batteries, but the process is confusing for the driver. It may think there are objects in the blind spot and perform unnecessary maneuvers. Some problems may also arise with adaptive cruise control when using the system to change lanes.
Attacks on applications and platforms
Not only hackers, but also the manufacturers themselves can seize control of your car: turn on and off paid options and even block control in case of theft. Cars are constantly connected to company servers through separate interfaces, which sometimes also become a loophole for attackers. Sometimes entire fleets of vehicles are attacked.So in 2022, a researcher under the nickname @ specters found a way to remotely control all Nissan and Infiniti cars connected to the Internet using only Burpsuite. After examining the authorization mechanism in the Nissan application, he discovered the “accountSource” field with the value “customer”.
Nissan Mobile App Registration Request
The researcher just replaced it with “dealer” and - “bingo!” — received administrative access and the ability to send commands to any connected car. He was able to lock and unlock doors, start and stop the engine, and track the location of the car. It is not known what conclusions the company made. However, Nissan recently confirmed that the call center it set up to handle customer inquiries after another data breach was also hacked.
In January 2022, another ethical hacker, David Colombo, hacked more than two dozen Tesla electric vehicles in 13 countries. The researcher examined the source code of the TeslaMate application and found in it guest access to Grafana dashboards, as well as an unencrypted API key. With its help, you can open doors and windows, start keyless driving, and change air conditioning settings.
Finally, Sam Curry describes a whole host of privilege escalation attacks on CMS and administrative panels of Kia, Honda, Acura, Hyundai, Genesis, Ferrari, Spireon. Authorization bypass, SQL injection, and regular expression vulnerabilities in Spireon systems allowed Kerry to completely take over a multi-fleet management system and send arbitrary commands to 15 million vehicle telematics systems.
How real are the risks?
So far, nothing is known about actual attacks by attackers on cars through the infrastructure. But who can guarantee that there are no latent compromises in the automakers’ infrastructure? As can be seen from these examples, the level of cybersecurity can be low even among the largest concerns.Some analysts do not exclude the possibility of attacks on cars using the model of encryption viruses. It is unlikely that attackers will demand payment for unlocking cars from individual car owners, but by paralyzing a fleet of one brand, they can extort money from an entire company.
One way or another, for now all this remains at the level of concern. But thefts and major leaks of personal data due to vulnerabilities in automotive systems have already become an objective reality. For example, in 2021, the data of 3.3 million American Volkswagen and Audi owners was put up for sale on a hacker forum. And the location information of more than 2 million Japanese Toyota owners remained publicly available until May 2023 due to an incorrect configuration of the company's cloud storage.
A recent Mozilla study called modern cars a “privacy nightmare”: about 84% of automakers transfer or sell their customer data to third parties.
Moreover, according to the study, the methods of none of the auto brands meet even the minimum security standards for information processing.
How to counteract information security threats in the automotive industry
The starting point in the fight against such threats was the creation of the Automotive Safety Research Group in 2017. By 2021, it has developed the industry standard ISO/SAE 21434 on automotive cybersecurity. At the same time, the UN special working group on the harmonization of vehicle regulations introduced two important laws:- UN Regulation No. 155 - Cybersecurity.
- UN Regulation No. 156 - Software Updates.
They will come into force in July this year and will oblige manufacturers to provide protection for every new car throughout its entire life cycle. It is planned to introduce a certification system based on the “zero trust” concept. That is, suppliers of software, applications, services and other industry representatives will receive certificates for access to automotive systems.
First page of UN Regulation No. 155
According to the plan, safety will become the cornerstone of the automotive industry. Component manufacturers will begin to adhere to coding guidelines for structured programming (Misra C/C++ , AUTOSAR or, for example, CERT C), and automakers will have to develop incident response plans. To protect connected cars from cyber attacks, they are integrated with a cyber security management system (CSMS).
According to some forecasts, thanks to such measures, the global automotive cybersecurity market will grow to $22.2 billion by 2032. The annual growth of this important area will be about 22%.
Expectations and reality
Forecasts are forecasts, but how much is the auto industry really ready to invest in the development of cybersecurity? According to a Kaspersky Lab survey, although many manufacturers are aware of such problems, they have not yet found effective solutions. The survey revealed that 63.5% of responding managers are poorly involved in the process of implementing new standards, such as R 155/156 UNECE WP.29 and ISO 21434.We can only hope that the above-mentioned UN regulations will help automakers build work processes in the field of cybersecurity - these are the goals pursued by both managements. True, they are formulated in general terms and leave room for interpretation.
The requirements of R155 apply only to new car models released after July 1, 2022. Tens of millions of older cars are not subject to the standard. Manufacturers are not required to ensure their cybersecurity and are likely to discontinue support and stop releasing updates after a few years, as happens with smartphones. Therefore, car break-ins are likely to remain commonplace.
Unfortunately, there is little hope for politicians and lawyers in solving the problems described. For starters, how can authorities assess when extreme measures—a car recall—are justified?
Some hacks are not technically related to road safety (for example, rolling down windows), but in fact can lead to theft or distract the driver's attention. Experience has shown that even when a country places equal emphasis on safety and scalability (two variables that should determine response), one company's products are sometimes recalled within 48 hours, while another's are recalled five years later.
Another important question is how many vehicles undergo a full threat analysis with a third party auditor? It is not a fact that every manufacturer has such information on their own products, not to mention the regulatory body and statistics for the entire country or region. Yes, some brands require suppliers to undergo a cybersecurity assessment before delivery, but this is not always observed.
What about in Russia?
Now let's turn to the domestic automobile market. Its blitzkrieg is being captured by Chinese manufacturers, whose information security has not been properly researched. But most experts agree on one thing: budget Chinese cars are poorly protected from theft.Thus, according to automobile safety specialist Alexei Kurchanov, cars from the Middle Kingdom have low security.
It is not much more difficult, according to Kurchanov, to disable the telematic factory security system. And the standard immobilizer can be easily bypassed by programming a new key by changing the PIN codes within a minute. Access codes for many Chinese cars are openly posted on the Internet - reprogram and go.
All this is a purely everyday side of the issue. Speaking of platforms, many European experts are concerned about cybersecurity risks due to the growing sales of Chinese machines and components. And the US Department of Commerce has launched an investigation into potential security threats to “connected vehicles” containing components from China.
As far as I know, no one in Russia is seriously asking such questions yet. The reality is that the state and car owners are simply obliged to demand that manufacturers implement effective cybersecurity measures at all levels. Automotive companies need to secure their entire chain: from the attack surfaces of the car itself to the corporate infrastructure. It is also important for them to continuously monitor suppliers. They have a lot of work ahead of them.
Instead of conclusions: how to improve the information security of cars
This issue deserves a detailed analysis and a separate article, but at the end of this material it is worth mentioning at least the basic, most necessary measures.- Segmentation and isolation. Automakers must create segmented and isolated networks within vehicles to prevent unauthorized access to critical systems.
- Application of hardware security modules (HSM). They are integrated into vehicles to handle cryptography, secure key storage, and authentication. Such modules help ensure the integrity and confidentiality of data that circulates inside the vehicle and is sent to external systems.
- Regular over-the-air (OTA) security updates, similar to those released for smartphone operating systems.
- Encryption. It is critical to protecting data transferred between vehicles, servers and external devices.
- Limiting the collection and anonymization of confidential data. It is important for manufacturers to maintain a balance: to collect the invoice necessary for the innovative development of cars, without exploiting users as a source of data.
Implementation of advanced infrastructure protection techniques. Protecting modern cars is more than worrying about the information security of specific cars. This is a complex task that extends to all corporate assets.
