Navigating the cyber security challenges posed by connected vehicles
An exploration of the cyber security risks associated with autonomous, electric and connected vehicles and how to overcome them
Add bookmarkDigital acceleration is revolutionizing industries across the globe, and the automotive sector is at the forefront. There are currently an estimated 48.6 million autonomous vehicles worldwide, with this number predicted to grow to 54.2 million in 2024.
While this rise in smart vehicles is undoubtedly exciting, it also brings with it a whole host of considerations those in the automotive industry must make to protect their customers from a new threat: cyber attacks against autonomous, connected and electric vehicles. In fact, automotive cyber security company Upstream found that automotive API attacks against self driving vehicles alone had increased by 380 percent from 2021 to 2022.
Tina Grant, quality assessor at UK-based aerospace company Aeorspheres explains that this is because the increased software and hardware used within autonomous, electric and connected vehicles can lead to increased access points for hackers: “Today's automobiles come equipped with automatic features including airbags, power steering, motor timing, door locks, and adaptive cruise control aid systems. These vehicles use Bluetooth and Wi-Fi to connect, which exposes them to a number of security flaws or hacking threats.
“With more autonomous vehicles on the road in 2023, it is anticipated that attempts to take control of them or listen in on conversations will increase. Automated or self-driving cars employ an even more complicated process that demands stringent cyber security precautions,” she explains.
In this article, we explore some of the common cyber security risks posed by autonomous, electric and connected vehicles and how to overcome them.
The cyber security dangers posed by autonomous, electric and connected vehicles
Hackers causing distracted driving
If hackers can gain access to an autonomous, electric or connected vehicle’s network, they can remotely force the vehicle to complete processes, even if these processes seem mundane. The dangers of this have already been explored by cyber security researcher and founder of cyber security software company Columbo Tech, David Columbo.
In January 2022, Columbo explained via posts on X (formerly Twitter) that he had been able to hack and gain remote access to “over 20 Tesla’s[sic] in 10 countries” allowing him to “remotely run commands on 25+ Tesla‘s[sic] in 13 countries without the owners’ knowledge”. While Columbo did not have “full remote control” – meaning did not have control over the steering, acceleration or braking of the vehicles – he warned that malicious actors having even partial remote-control access was dangerous.
Columbo explained that even if malicious actors could only remotely play loud music, open windows or doors or flash a car’s headlights repeatedly, this could put both the driver’s and other motorists’ lives in danger, especially if the car was driving at speed or in a busy area.
Tesla investigated the issue after Columbo shared information about the vulnerability with the company. The company confirmed that it had immediately revoked the access tokens and notified the owners of the issue.
No matter the scope of the attack, malicious actors remotely accessing autonomous, electric and connected vehicles is undoubtedly a cyber security risk that must be considered when increasing the vehicle’s cyber defences.
Malicious software attacks
As with all technology, the risk of infection by malicious software is a risk for autonomous, electric and connected vehicles. As Augustin Friedel, senior manager of mobility transformation at MHP, a Porsche company, explains: “a software-defined vehicle relies on advanced software, AI and computing technology to control and manage the different vehicle systems.”
As this advanced software provides malicious actors with more potentially vulnerable access points than the average computer, this means that malware can pose a heightened risk.
In Security challenges for connected and autonomous vehicles, Emyr Thomas, operational technology lead consultant at BAE Systems, explains that malware attacks could be launched against these vehicles with the aim of creating botnets for cryptojacking (where endpoints are used to mine for cryptocurrency without the victim’s knowledge) or for launching Distributed Denial-of-Service (DDoS) attacks. This is because of the computing power held within the electronic control units (ECUs) of autonomous, electric or connected vehicles.
This would allow malicious actors to launch other, more disruptive attacks against prominent companies, taking their websites and/or networks offline and interfering with their business processes. Alternatively, it could allow them to mine for cryptocurrency without the car owner knowing, causing disruption to the vehicle’s processes and draining its battery life.
Both of these outcomes could have massive ramifications for both the vehicle owner and any other victims targeted by the malicious software, highlighting the importance of reinforcing autonomous, electric and connected vehicles’ networks against cyber attacks.
Insider threats
Automotive manufacturers are always looking to protect their proprietary designs from being shared with those outside the company. As the manufacture of autonomous, electric and connected vehicles grows, these proprietary designs will become even more valuable, and the risk of malicious insider threats will also increase.
In Securing the future of mobility: Addressing cyber risk in self-driving cars and beyond by Deloitte University Press, researchers Leon Nash, Greg Boehmer, Mark Wireman and Allen Hillaker note that the information employees working on autonomous, electric and connected vehicles have access to may pose an increased cyber security risk.
To do this, they explore a hypothetical scenario where a software developer learns of a critical vulnerability in a vehicle’s software concerning the software that allows the vehicle to communicate with anything that may affect or be affected by it: “Consider a hypothetical software developer partnering with a [vehicle to anything] (V2X) device manufacturer that ships and configures devices that enable connected infrastructure. When the developer’s lead engineer leaves the organization, he takes with him critical trade secrets and knowledge of a backdoor into the root of the V2X system. Perhaps because of discontent with his former employer, he leaks information about the security bypass, making vulnerable hundreds of thousands of installed and active devices.
“The attacks could begin as irksome pranks but soon escalate. Targeting one city, hackers could manipulate information to tell traffic apps and rideshare vehicles that there is construction on every street, causing accidents and delays in emergency service response. Next, they could remotely quadruple the amperage of electric vehicle charging stations which could result in fires,” they conclude.
While this scenario is only a hypothetical, it makes the risks of insider threats in the context of autonomous, electric and connected vehicles clear. It also serves a reminder that data safety and privacy is crucial to good cyber security.
Overcoming the cyber security risks of autonomous, electric and connected vehicles
While autonomous, electric and connected vehicles undoubtedly carry cyber security risks, it is important to recognise that these cyber security risks can be neutralized.
Preventing unauthorized access by malicious actors
Azzam Sheikh, digital strategist at car parts manufacturer Carifex, explains that a multi-faceted approach to SDV cyber security is necessary as the risks are varied. For Sheikh, this includes rigorous software security testing, regular updates to patch vulnerabilities, and robust encryption protocols to safeguard financial data. He also recommends that strong authentication measures are put in place to ensure the identities of those conducting financial transactions within autonomous, electric and connected vehicles are properly validated.
Another key aspect of increasing the cyber resilience of autonomous, electric and connected vehicles is using its attack points as defence points.
Leveraging the power of model assembling and diversifying sensor fusion can enhance the ability of autonomous, electric and connected vehicles to withstand attacks and sensor failures, just as quantum-resistant encryption has emerged as a shield against threats posed by future quantum computers, explains digital security expert Artem Minaev.
“An intriguing addition is behavioural biometrics, [which offers] a novel authentication method that ensures secure access to [a vehicle’s] control systems. Embracing these inventive strategies holds the key to effectively addressing emerging cyber security threats,” he adds.
Preventing insider threats
When it comes to the risks posed by insider threats, CISO of Aston Martin,
Robin Smith, notes that insider threats should be dealt with using a proactive approach, as companies need to be aware of and sensitive to the fact that employees have access to sensitive data and are trusted within a company’s network.
He explains further: “You need to take action to constantly monitor and respond to any potential insider threats. Whether this is small scale, for example sending data to cloud storage or larger scale, for example the unauthorized access of sensitive data or other criminal activities.
“Regardless, the setup and your protective monitoring approach should be alerting you to the activity from the first signs of unusual user behaviour.
This will allow you to make an active intervention to stop data transfers or the unauthorized accessing of information. Proactive technologies that can offer that immediate detection and response are crucial for this,” he shares.
Smith also notes that a culture of awareness should also be encouraged, as this will allow other employees who are privy to the malicious behaviour from insider threat actors to feel comfortable in reporting it. This will also help reduce the impact of insider threats as they can be detected early, meaning that their damage is reduced.
Conclusion
While autonomous, electric and connected vehicles may be a target for malicious actors and can have vulnerabilities that make them susceptible to cyber attacks, they can be protected against said attacks.
Whether this is utilizing the areas targeted by malicious actors as part of the vehicles defence strategy, increasing authentication tools or augmented software testing, a multi-faceted approach to autonomous, electric and connected vehicles’ cyber security will ensure that any potential access points by malicious actors are protected.
A proactive and pro-social approach to cyber security culture will also help to prevent cyber attacks against autonomous, electric and connected vehicles. This is because it will encourage employees to both consider all aspects of cyber security when working on the autonomous, electric or connected vehicle. It will also reduce the likelihood of insider threats as employees will be more likely to report any suspicious activity or behaviour within their team or on their network.