Welcome dear networkseclearners to this new tutorial where we will be talking about Automotive Cybersecurity.
I would first like to tell you what is Automotive Cybersecurity and why Cybersecurity in the automotive sector is nowadays a relevant topic. Then, I will talk about the evolution of automotive technology, trending cyber attacks and attack vectors in the automotive industry and I will finish with Industry and regulatory responses to this new threat landscape.
This tutorial aims at providing beginners to automotive cybersecurity, a comprehensive introduction on this topic. I hope that at the end of this tutorial, you will be more aware of cyber risks related to today’s cars. If you still don’t know what is Automotive Cybersecurity, don’t worry because I will jump right now into the topic. Let’s meet at the next section 😉 : Definition of Automotive Cybersecurity.
1. Definition of Automotive Cybersecurity
Automotive Cybersecurity refers to the protection of electrical and electronical systems embedded in cars against cybersecurity threats that could lead to the violation of their confidentiality, integrity and availability properties.
If it is the first time you have come accross this topic of automotive cybersecurity, you might think this topic is not relevant at all. In fact, I am stating this because every time, I talk with people that are not familiar with automotive technologies or cybersecurity in general, they always ask me how it is possible to hack a car😉. Basically, they don’t believe cars can be hacked and are not aware of the potential risks that could lead to successful hacking of cars. So, let’s talk now, why automotive cybersecurity is nowadays a relevant topic.
2. Relevancy of Automotive Cybersecurity
Welcome in the era in which cars have become “computers on wheels” and capable of connecting themselves to the internet to provide users with more and more services and functionalities in order to enhance their experience. Nowadays, cars are also equiped with infotainment systems collecting and storing user private data which might be sensitive. All this is possible thanks to the on board computers embedded in cars that we call ECU (Electronic Control Unit). ECU is composed of hardware and software and has inputs and outputs. It will basically receive information at its inputs coming from elements like sensors and then will process it and take decision to activate or deactivate outputs elements like actuators. Examples of ECUs are ACU (Airbag Control Unit), ECM (Engine Control Module), BCM (Body Control Module), TCU (Transmission Control Unit) etc. In modern cars we can have up to 70-100 ECUs connected all together via Bus like CAN (Controller Area Network), LIN (Local Interconect Network) or even Ethernet since recently allowing them to exchange information. If you wanna learn more about ECUs, I invite you to have a look to this short video :
From Cybersecurity perspective, all these ECUs and information they manipulate are Assets to protect because the violation of any of their cybersecurity properties can potentially cause harm to users and damage the reputation of car makers. In order to illustrate the importance of protecting these ECUs and Information, let’s talk about one example :
Imagine while driving at high speed on the highway, an attacker manages remotely to access your car internal network, thus take the control of your car while you lose all controls : you can’t stop the car anymore, you can’t control its speed anymore and you can’t turn left or right anymore. This could lead to serious accidents causing harm to the driver, passengers and any other users on the road. If this happens, this will also cause a reputation damage of the car maker. Anh, sounds like science fiction, right? 😅 If you are still not convinced about the fact that cars are nowadats “good” targets for cybersecurity attacks and therefore need to be protected, I invite you to watch the following video in which two Cybersecurity experts manage to remotely take control of a Jeep.
I hope that if you reached this line, you now know that Cybersecurity is relevant for cars in 2024.😉 It is crucial to protect our cars assets from cybersecurity attacks in order to ensure the safety of passengers and all users on the roads. As a cybersecurity professional, I am excited to contribute to the protection of cars and thus in the safety of passengers. Well, I hope you also have the same feeling and same goal! 🤲
It is time now to move to the next section, where I would like to present you the evolution of automotive technology.
3. Evolution of Automotive technologies
In this section, I wanna give you an overview of cars evolution. In order to make it more interesting for you, I propose you to watch a very interesting youtube video on evolution of cars. It shows the evolution of cars from antiquity to today.
If you are a big fan of automobile and would love to see in real life cars from the past centuries, I can recommend the Automobile Museum of Turin in Italy. I visited it in 2023 and it was a real amazing experience. I could see exactly the evolution of cars with my own eyes and also learn how some components like engines are made. It is a life time experience for cars lovers.😉
What I want you to be aware through this section is the rapid evolution of technology in the automotive industry. In the beginning, cars were just a bunch of mechanics with barely no electronics and with time they have been getting more and more sophiscated and complex thanks to the introduction of electronics and software. In the beginning of cars, the main need from users was to drive from one point to another. That was a basic need that was fulfilled with basics mechanics with barely no electronics. However, the users needs towards cars have grown over time due to tremendous evolutions made in technology from the creation of the first transistor in 1947. In fact, in order to fulfill the growing need, more and more features needed to be provided by cars makers to make the user experience better and more comfortable. This was possible with the introduction of electronics and software in cars, the so called ECUs. Nowadays, cars have become very smart, very safe and very comfortable thanks to those ECUs (brains). Cars in 2024 are able to “see” and “understand” what is surrounding them and based on this, make some smart decisions. Today’s cars self drive even if it is still in most of the cases in experimental phases. Cars today can connect to the internet in order to provide services to the users like remote diagnostics, remote SW update, infotainments. All this is possible thanks to electronics and software. Talking about software in the cars, do you know that today, some cars embed more lines of code than some airplanes? 🤔🤔 Well, the Ford GT car for instance embeds more lines of code than the F-22 Raptor Fighter jet and the Boeing 787 Dreamliner. Check this following link for more details :
Even if these technologies evolutions bring a lot of values to car users, this is not without many inconveniences above all Cybersecurity relevant ones. All those ECUs and associated advanced features are “good” targets for cybersecurity attacks. Now, that we have briefly discussed the trending technologies in the automotive industry, let’s now talk about the trending cybersecurity attacks our modern cars have to face.
4. Common Cyber security Attacks and Attack Vectors in the Automotive Industry
Welcome to this new section of this tutorial. If you don’t know what a cybersecurity attack is or what an attack vector is, I will quickly remind you.
A cybersecurity attack is any exploitation of a system vulnerability that lead to the violation of any of its cybersecurity properties. This can of course cause harm or damage. On the other hand, an attack vector is the mean and/or method by which a cybersecurity attack is carried out by an attacker. If you need more details, have a look to my article on introduction of Cybersecurity. 😊
Just before we dive into the topic, I would like to share with you, some important trending features from the Upstream’s 2024 Global Automotive Cybersecurity Report.
According to the Upstream’s 2024 Global Automotive Cybersecurity Report, 95% of attacks on cars are executed remotely with 85% of them being carried out in long range.
4.1 Back-end servers related to vehicles in the field attacks
As discussed in the previous sections, modern cars are now able to connect with the external world to exchange information. External elements to which the cars are in communication are the back-end servers which will trigger the SW update for instance or in the case of autonomous driving, they will process big amount of data in a short time and provide feedback to the vehicle which can then decide which actions to perform. So, by attacking the back-end servers, hackers can take control of the car and/or disrupt its operation. According to the Upstream’s 2024 Global Automotive Cybersecurity Report, this represents 43% of attacks.
4.2 Infotainment Systems Attacks
Infotainment systems in modern vehicles are often connected to the internet, making them potential targets for cyber attacks. Attackers may exploit vulnerabilities in these systems to gain access to sensitive information or control vehicle functions. According to the Upstream’s 2024 Global Automotive Cybersecurity Report, this represents 15% of attacks.
4.3 Vehicle communication channels attacks
As discussed in the above section 2, ECUs are connected via bus like CAN, LIN, Ethernet that allow them to exchange information useful for the fufilment of their functions. This means that the communication between the ECUs is very critical and therefore if they are attacked, it can have serious consequences on vehicle operation and safety. Common attack vectors are the flooding of the communication channels with useless information causing a denial of service, the spoofing of messages, reply methods.
4.4 Remote Keyless Entry Systems attacks
Hackers use relay attacks and signal amplification techniques to intercept and clone keyless entry system signals, allowing them to gain unauthorized access to vehicles. According to the Upstream’s 2024 Global Automotive Cybersecurity Report, this represents 7% of attacks.
4.5 Connected Car mobile applications attacks
Mobile applications used to control or interact with connected cars may contain security vulnerabilities that could be exploited by attackers to gain unauthorized access to vehicles or user data.
4.6 On-board diagnostics (OBD-II) port exploitation
Attackers may exploit vulnerabilities in the OBD-II port, which is used for vehicle diagnostics and maintenance, to gain access to vehicle systems and data.
4.7 SW updates procedures attacks
Attackers might use the SW updates procedures maliciously in order to inject no legitimate code in the ECUs.
5. Regulatory Responses
Welcome to this new and last section of this tutorial. Well, I hope that by now, you know why cybersecurity is nowadays relevant for the automotive industry and also that you are aware of the most common attacks faced by modern cars. If not, I recommned you to read again the first sections. If it is OK, then, stay with me here👌. At some point in time while reading this article, you may be realized how dangerous it can be if our car is hacked and being controlled by attackers. It is great if you have this in mind. Indeed, if not enough care is given to Cybersecurity during the development and production of automotive products like ECUs, this could lead to attacks causing serious harm. You might ask yourself how do we make sure the car makers and ECUs supplier take seriously cybersecurity and perform its related activities properly? Well, the answer is that we finally have standards and regulations for automotive cybersecurity :
The IS0-21434 standard was published in August 2021 and provides vocabulary, requirements, recommendations, best practices and guidelines to OEMs and suppliers for automotive cybersecurity management making sure all related activities are properly performed throughout the whole product life cycle. This standard also requires some mandatory work products. This is a standard and therefore is basically a recommendation unlike regulations whose requirements must be implemented otherwise OEMs and suppliers are exposed to fines and condemntions. A regulation is like a law. I will write a dedicated article for the whole ISO-21434 soon and you will get more details.
What are then the regulations ? Well, UNECE R155 and UNECE R156 were released in Summer 2021 almost at same date like the ISO 21434. Again, I will write dedicated articles for these two automotive cybersecurity regulations in the coming weeks. UNECE stands for Unated Nations Economic Commission for Europe.
In a nutshell, the UNECE R155 regulation establishes guidelines for ensuring the cybersecurity of vehicles, safeguarding against cyber threats and unauthorized access to vehicle systems and software.
On the other hand, the UNECE R156 regulation outlines requirements for the approval of vehicles with regard to cybersecurity and software updates, ensuring vehicles meet cybersecurity standards and can receive necessary software updates securely.
CONCLUSION
I would like to congratulate you if you have stayed with me till here which is the end of this article😊. I hope this article was interesting and knowledgeable for you. If you have enjoyed it, please, leave a comment and share this article with your friends/colleagues to spread the knowledge on this domain.
If you have any suggestion of improvement, please, don’t hesitate to leave a comment or contact me directly through the contact page.
Before closing, I promise I gonna close here😅, let me remind what we have discussed in this tutorial. Indeed, the goal was to provide an introduction to automotive cybersecurity by starting to define it so that we understand what we are talking about. People around me are always suprised when I talk about cybersecurity in the automotive sector which means they are not aware of the cyber risks cars are exposed to nowadays. So, I explained why Cybersecurity is relevant nowadays for the automotive industry. This is more clear when we get to know the vulnerabilities, today’s cars are now exposed to after this tremendous technology evolution. Given the bad consequences that can result from cars systems vulnerabilities being exploited by attackers, some regulations and standards were released in order to ensure cars that will enter the markets starting from July 2024 have no risk or present acceptable level of risks.