Original equipment vendors (OEMs) and their suppliers who are weighing how to invest their budgets may be tempted to slow down investments in combating cyber threats. The attacks they've encountered so far have been relatively simple and not particularly harmful.
However, analysis of chat logs from underground criminal information exchanges shows that these fragments exist to enable multi-layered, widespread attacks in the years to come. Given the typically long development cycles in the automotive industry, waiting for more sophisticated cyberattacks against connected cars to emerge is not a practical option.
What should global automotive OEMs and suppliers do now to prepare for the inevitable shift from today’s manual car modification hacks to tomorrow’s user impersonation, account theft and other possible attacks?
How connectivity is changing car crime
As our vehicles become more connected to the outside world, the attack surface for cybercriminals is rapidly increasing, and new “smart” features on the world’s current generation of vehicles are opening the door to new threats.
Our new “smartphones on wheels”—always connected to the internet, leveraging many apps and services, collecting vast amounts of data from multiple sensors, receiving over-the-air software updates, and more—could be vulnerable to attacks similar to: Today we This is already the case with computers and handheld devices.
Automotive companies need to consider these potential future threats now. The cars OEMs are planning today may be on the market in three to five years. By then, it needs to be protected against possible cyber threat environments. If cars come to market without the required cybersecurity features, the job of keeping them safe will be that much harder.
The sophisticated attacks we are seeing engineered by industry researchers to target connected cars are a sign of the potential for more frequent, nefarious and harmful attacks. Fortunately, attacks so far have been largely limited to these theoretical exercises in the automotive industry. Car modifications - such as unlocking a vehicle's features or manipulating mileage - are as far as the real world can go.
Connectivity limits some of the typical options available to criminals who specialize in car crimes. The traceability of modern vehicles makes it more difficult to resell a stolen car, and even if criminals are able to manage to take the vehicle offline, the associated loss of functionality can make the car less valuable to potential buyers.
Still, as connectivity inside and outside vehicles becomes more pervasive and sophisticated, threats will become more prevalent and sophisticated as well. How might attacks against connected cars evolve in the future?
The emerging frontier of next-generation attacks
Because the online functionality of connected cars is managed through user accounts, attackers may seek to access these accounts to gain control of the vehicle. The takeover of these automotive user accounts is an emerging frontier for attacks by would-be automotive cybercriminals and even criminal organizations, creating ripe possibilities for user impersonation and account buying and selling.
Stealing online accounts and selling them to rogue collaborators who can act on this knowledge sets up future automotive cybercriminals for a range of possible future attacks:
• Sell car user accounts
• Impersonate users through phishing, keyloggers, or other malware
• Remotely unlock, start and control connected cars
• Open a car and steal valuables or commit other one-time crimes
• Steal cars and sell parts
• Locate a car to find out the owner’s residential address and determine when the owner is not home
The criminal triangle pattern begins to take shape
Connected car cybercrime is still in its infancy, but criminal organizations in some countries are beginning to recognize the opportunity to exploit vehicle connectivity. Surveying today's underground messaging forums quickly reveals that the pieces may quickly be put in place to counter more sophisticated automotive cyberattacks in the coming years. Discussions on potentially compromised data and the software tools needed/available to launch an attack are already intensifying on underground criminal forums.
A post from a publicly searchable car tuner forum about vehicle multi-displacement systems (MDS) for tuning engine performance is emblematic of current activity and possibilities.
In another case, users on criminal underground forums provided data dumps from automakers pointing to possible threats to the industry.
While they still appear to be limited to accessing regular stolen data, compromises and network access are being sold underground. The criminal triangle of sophisticated automotive cyberattacks (as defined by crime analysts) is solidifying:
• Targets – Connected cars that serious criminals will seek to exploit will become increasingly common in global markets over the next few years.
• Desire – Criminal organizations will find ample market momentum to monetize stolen auto accounts.
• Opportunities – Hackers are keen to hijack people’s accounts through phishing, information theft, keylogging and more.
Penetrate and exploit connected cars
There are many ways to gain access to connected car user data: introducing malicious in-vehicle infotainment (IVI) applications, exploiting unsecured IVI applications and network connections, exploiting unsecured browsers to steal private data, and more.
Additionally, there is a risk of leveraging personally identifiable information (PII) and vehicle telemetry data (such as car condition) stored in the smart cockpit to inform extremely personalized and convincing phishing emails.
Here's one way this might happen:
• Attackers identify exploitable vulnerabilities in browsers.
• The attacker creates a professional, attractive web page that offers irresistible promotions to unsuspecting users (fast food coupons, vehicle maintenance discounts for user-specific models and years, insider stock information, etc.)
• Users are lured to visit malicious web pages, thereby bypassing browser security mechanisms
• Attackers install backdoors in vehicle IVI systems without user knowledge or permission to obtain various forms of sensitive data (driving history, conversations recorded by manufacturer-installed microphones, videos recorded by built-in cameras , contact list, SMS, ETC.)
The range of criminal conduct that can arise from this process is wide-ranging. For example, by creating a fraud scheme to steal a user's identity, an attacker would be able to open an account on the user's behalf or even trick the OEM service team into approving a verification request, at which point the attacker could remotely open car doors and obtain information. Allowing collaborators to steal cars.
Additionally, attackers could exploit the backdoor they installed to penetrate the vehicle's central gateway by sending malicious messages to the electronic control unit (ECU) through the IVI system. Not only do drivers lose control of their car's IVI system and its geolocation, audio and video data, but they also lose the ability to control the vehicle's speed, steering and other safety-critical functions, as well as the range of critical data stored within it. Its digital cluster.
Prepare for tomorrow's threat landscape today
Until now, OEMs may have been unwilling to invest in avoiding cyberattacks, which have yet to materialize in the real world. But the 2023 Gartner research report, "Automotive Insights: Vehicle Cybersecurity Ecosystem Creates Opportunities for Collaboration," is one of the industry studies documenting the shift in priorities.
OEMs are driven by factors such as the significant risk of brand and financial loss from cyberattacks via software-controlled updateable vehicle functionality, as well as emerging international regulatory pressures such as United Nations (UN) Regulation 155 (R155) and ISO/SAE 21434. OEMs have begun to emphasize network security.
Today, they are actively evaluating and in some cases even implementing some powerful features:
• IVI Privacy and Identity Security
• IVI application vulnerability detection
• Monitor IVI application performance
• Protect Car Companion App
• Detect malicious URLs
• 24/7 monitoring of personal data
It turns out that investing in cybersecurity at the design stage, compared to investing after a data breach, will ultimately prove more effective in preventing or mitigating thefts of money, vehicles, and money by the world's most sophisticated and ambitious commercial criminals using compromised personal data. It is cheaper and more effective for serious crimes such as and identity.