Table of Contents
The software-defined vehicles(SDVs) market is on the rise for substantial growth in the coming decade. But, The number of Automotive API attacks increased by 380% in 2022.
Automotive hacking has become the latest but deadly threat to the industry. SDVs are expected to expand significantly, going from a market size of around $36 billion in 2022 to potentially reaching up to $150 billion by 2030.
Future of Automotive Industry: Development in Software Defined Vehicles (SDVs)
Software-defined Defined Vehicles are the next source of competitive edge and a revenue stream for organizations. Industries are adopting the system to be in the future game.
GM Financial Report
GM announced the launch of the Ultifi software platform for next-generation internal combustion and electric vehicles later this year during its Q1’2023 earnings call.
What do they forecast?
They predict this will contribute significantly to their bottom line, with the expectation of generating annual software and service revenue from $20 billion to $25 billion by 2030.
Stellantis
In June 2023, Stellantis proposed a development connecting 34 million vehicles by 2030. Their strategy focuses on services, subscriptions, on-demand features, data services, fleet management, and more. Their motive is the revenue to €20 billion by 2030.
All Tier 1 companies are trying to stay caught up and come forward to be a part of this changing environment.
For instance, BlackBerry IVY has introduced in-vehicle software platforms and developer tools. The programs support vehicle edge computing. This approach allows for unparalleled agility in deploying innovative, data-driven features.
This software-driven industry is unstoppable when it comes to technology. It’s crucial to know that this shift brings new challenges. Vulnerabilities are standing at the door waiting to be exploited and intruders are there to make every effort to make things worse.
“These vulnerabilities could potentially provide unauthorized individuals with access to sensitive consumer and OEM data, control over vehicle functions, and even open the door to novel methods of vehicle theft.”
This underscores the pressing need for robust cybersecurity measures in the automotive industry.
What are the risks you are prone to with rising Automotive Hacking?
Various risks are involved with Software-Defined Vehicles (SDVs), but customer data leakage and identity theft are at the top. Let’s discuss some prevalent risks in automotive hacking in 2024.
Data Privacy
The software vehicles collect extensive customer data, including personally identifying details, billing particulars, and location information, which fall under data protection regulations like GDPR and CCPA.
Breaches in this context can have severe consequences, including customer identity theft, financial fraud, and substantial regulatory fines, which can reach as high as 4% of revenue under GDPR.
Intellectual Property
Another critical concern is the theft of intellectual property (IP). Breaches targeting IP, including source code or infrastructure architecture, can lead to counterfeit product revenue losses and expose vehicle and enterprise backend systems vulnerabilities.
Vehicle Safety
With the vast scale and depth of data in SDVs, security breaches can damage vehicle safety and theft. Breached customer and OEM data can find its way to the internet’s dark web. Later, it could be exploited to develop tools for vehicle theft and compromise safety across entire fleets.
Reputation
Moreover, the impact isn’t confined to the technical alone. A data breach can tarnish an OEM’s reputation, erode customer trust, trigger legal actions, and adversely affect sales and market share.
Emerging Cyber Risks in Automotive Sectors in 2023
Backend Attacks
The backend systems, such as telematics servers, have assumed an important role in automotive. They are responsible for gathering and managing sensitive data, including vehicle status, location, usage patterns, and driver behavior.
With reliance on backend systems for delivering advanced services, we are significantly exposed to vulnerabilities and potential cyber threats. Cyber attackers ‘ new targets are these functionalities and a wealth of sensitive data.
They have the remarkable ability to affect the entire data fleet when talking about control access. Therefore, the urgency to secure them arises. This is a priority for both Original Equipment Manufacturers (OEMs) and suppliers.
Backend servers and the attacks on them have surged since the outset of 2023. The automotive industry and its attacks are rooted in API vulnerabilities. These attacks have now raised to 40% of the security breaches.
Automotive Hacking at Peak in 2023
In January 2023, researchers published their findings after a month of dedicated investigation. The security of telematics systems, automotive APIs, and supporting infrastructure was seen to be compromised.
They unveiled multiple vulnerabilities across 19 prominent global OEMs and suppliers. These vulnerabilities allowed them to remotely control vehicles and access sensitive data from OEMs and consumers.
Another concerning development unfolded in March 2023 when a white hat hacker revealed they had gained unauthorized access to a Japanese OEM’s Customer Relationship Management (CRM) database.
This breach directly resulted from misconfigured APIs and inadequate authentication and verification protocols. Consequently, the hacker could access information, including names, addresses, phone numbers, email addresses, tax IDs, and detailed vehicle, service, and ownership histories of the OEM’s customers.
The risk escalates further when credentials are leaked, potentially granting access to internal systems. This poses threats ranging from customer data breaches and intellectual property theft to manipulation of the entire company’s infrastructure and unauthorized access to mobile applications for controlling vehicles.
3CX VOIP
A significant supply chain attack also transpired in March 2023, targeting customers of a VoIP software development company, with global OEMs also feeling the impact. The malware used in this attack could exploit system information and steal data and stored credentials from user profiles in popular web browsers.
This breach exposed internal OEM URLs and mobile app credentials, opening the door to unauthorized vehicle access and compromising sensitive data.
Toyota Breach
Lastly, in May 2023, a Japanese OEM disclosed a decade-long data breach affecting over 2 million vehicle owners in Japan.
This breach encompassed critical data such as vehicle location information, in-vehicle GPS navigation terminal ID numbers, chassis numbers, and video footage from onboard drive recorders.
These recent incidents underscore the pressing need for bolstered security measures in the automotive industry. As vehicles evolve into connected and software-driven entities, safeguarding the integrity of backend systems remains paramount for OEMs and suppliers alike.
SBOM is enhancing Automotive Threat Intelligence
The Software Bill of Materials (SBOM) is a technical document used in software development. It provides a detailed inventory of the software components, libraries, and dependencies in building a software product.
This extends to software installed on hardware components and vehicles in the automotive industry.
The SBOM is essential for achieving transparency and traceability in addressing software vulnerabilities.
Recent regulatory initiatives, such as UNECE WP.29 R15510 and R15611, ISO/SAE 2143412, and new regulations in China, have made SBOM adoption mandatory in the automotive sector.
These regulations now encompass software developed by Original Equipment Manufacturers (OEMs) and components and libraries from Tier-1 and Tier-2 suppliers.
This expanded scope empowers OEMs to effectively identify and manage software-related vulnerabilities and associated risks.
SBOM and its long-lasting impact
SBOM is no longer just a static document. With the prevalence of over-the-air (OTA) updates in vehicles, the SBOM is continually evolving, even after a car has left the factory.
SBOM initially focused on software, but there’s a growing recognition of hardware vulnerabilities. Frequent software updates can introduce new vulnerabilities, making it more likely for adversaries to exploit them.
Consequently, extending SBOM to encompass hardware components offers a more comprehensive understanding of the software-hardware ecosystem, leading to enhanced threat intelligence.
In-Vehicle Infotainment
In-vehicle infotainment systems provide a compelling example. They often run embedded Linux, contain personally identifiable information (PII) of vehicle owners, and interface with critical vehicle systems like the engine, brakes, steering, and sensors.
Cyber attackers can use infotainment systems as an entry point to launch attacks on vital vehicle systems and gain access to sensitive data.
Exploits targeting the Linux kernel, commonly discussed in underground hacking communities, highlight the increasing interest of threat actors in such vulnerabilities.
In February 2023, a detailed technical analysis and proof-of-concept (POC) of CVE-2022-30065 affecting the open-source project BusyBox (used to interface with the Linux kernel) was published.
Exploiting this vulnerability could lead to program crashes and privilege escalation, disrupting system functions. System crashes and other vulnerabilities could provide access to sensitive information such as vehicle location, owner identity, and historical vehicle data.
Threat actors with malicious intent can misuse this information for identity theft and tracking. Similarly, in May 2023, an exploit for CVE-2023-32233, affecting the Linux kernel, was shared on a cybercrime Telegram channel with a substantial following.
By exploiting this vulnerability, an unauthorized attacker could gain root privileges and execute malicious commands on affected in-vehicle infotainment systems. However, applying a patch released for CVE-2023-32233 can mitigate this vulnerability.
Cyber Attacks: Rise In Agriculture, Construction, and Heavy Machinery Industry that lead the charge on adopting SDV and Autonomous Features
In February 2023, a German company specializing in agricultural engineering, commercial vehicles, and construction machinery found itself in the crosshairs of a ransomware attack.
A group claiming responsibility for the attack posted their announcement on a hidden part of the internet, the dark web. As of now, the extent of the data breach remains undisclosed.
Looking back to the previous year, a notable incident occurred when Russian troops absconded with 27 pieces of farming equipment from an agricultural OEM dealership in Melitopol, Ukraine.
What’s intriguing is that the OEM company remotely turned off these machines, making them non-functional. While the equipment’s original owners wielded this remote control capability in this case, it raises concerns about the potential misuse of such abilities for malicious purposes.
Moving on to March 2023, a different German agricultural engineering supplier found itself at the center of a cyberattack. This cyber assault disrupted production across several of their facilities.
It’s worth noting that the same connectivity and advanced software-driven features that allow for these actions, whether by the original equipment owners or manufacturers, can also be employed to deactivate agricultural machinery remotely.
Key to better Automotives: Innovation+CyberVigilance
Automotive hacking is not to be ignored! Heavy reliance on software-driven systems and connections has widened the attack surface. This gives the chance for cyber criminals to expand.
What do hackers want? Indeed, the sensitive consumer data you give to the systems includes GPS location data and other personal details.
This data can be a goldmine for cybercriminals engaged in identity theft and fraud. Beware!
Anas Hasan
September 26, 2023
7 months ago
