Category: Blog

22 February, 2024 . 4 mins read

The Role of Penetration Testing in the Automotive Industry

The esteemed hackathon Pwn2Own has had its first ever automotive-focused event in Tokyo, Japan this January. At the end of the three-day hackathon, hackers identified 49 unique zero-day exploits, accumulating over a million dollars in awarded bounties. Hackathons like this have been common practice in the tech industry for years, however, they are just getting popular in the automotive sector.

During these hackathons, white-hat hackers gather to uncover zero-day vulnerabilities in vehicles and their systems. While hacking may have its negative connotations, ethical hacking performed in these events is better defined by the term penetration testing.

As technology advances, vehicles become increasingly vulnerable to cyber threats. Securing vehicles from these cyber threats requires extensive and proactive cyber security practices that not only protect vehicles but also actively search for new vulnerabilities in constantly developing systems. In this blog, we delve into the realm of automotive penetration testing, a critical practice aimed at identifying weaknesses in vehicle security systems.

Understanding Automotive Penetration Testing

Automotive penetration testing, or pentesting, is a process designed to identify vehicle vulnerabilities by means of hacking into specific components of a vehicle. This proactive way of cybersecurity testing allows for the uncovering of security gaps in a controlled environment. 

Penetration tests can be conducted internally by cybersecurity experts employed by an OEM, as well as externally, by independent ethical hackers. Upon successful identification of a vehicle vulnerability, hackers share their findings with an OEM for further investigation and remediation.

Besides vulnerability assessment, penetration testing provides positive feedback that can be used for attack surface analysis and compliance assessment.

Attack surface analysis allows cybersecurity experts to evaluate potential entry points that malicious actors could exploit to breach a vehicle’s system. The adoption of connected features in vehicles, such as IoT devices, telematics systems, and infotainment units, has opened up new avenues for cyber attacks. The exponential growth in vehicle technology multiplies the avenues hackers can exploit to gain unauthorized access to vehicle systems, compromise safety features, or steal sensitive data. Hence, penetration testing can be used to uncover the vulnerabilities within the system and also the various entry points and attack vectors that can be used to exploit said vulnerability.

For instance, to identify security gaps in a vehicle’s external communications a hacker may conduct a penetration test on ECUs responsible for a vehicle’s connectivity functions like Wi-Fi or V2X. Hacking into these individual ECUs allows cybersecurity experts to generate a threat model that lays out the potential entryways, threats, and influences that may impact an ECU.

Why Automotive Penetration Testing Matters

By conducting thorough security assessments manufacturers can identify vulnerabilities in vehicle systems and address them proactively. This not only enhances the overall security of vehicles but also helps meet regulatory obligations effectively.

Vehicle security regulations have evolved to include robust cybersecurity measures as compliance requirements. UN Regulation No. 155 (UN R155), aimed at ensuring the cybersecurity of vehicles, mandates manufacturers to implement measures to protect against unauthorized access, manipulation, and theft of data.

To comply with the regulations manufacturers must conduct and document risk assessment tests, implement appropriate cybersecurity measures, detect, and respond to possible cyber attacks, as well as log data to support the detection of cyber attacks. Considering the extent of risk assessment required, it is clear that automotive penetration testing serves as a crucial tool in achieving and maintaining compliance with UN R155 requirements.

The Importance of Collaboration for Cybersecurity Testing

Compliance with regulations may be time-consuming and costly for vehicle manufacturers. Therefore, collaboration between automotive manufacturers, cybersecurity experts, and regulatory bodies is essential for effective security assessments. Comprehensive solutions that allow for continuous testing, threat intelligence gathering, and integrating security measures into the development process are crucial to ensure cybersecurity best practices.

AutoCrypt CSTP serves as a comprehensive cybersecurity testing platform that enables automotive OEMs to conduct cybersecurity testing for regulatory compliance and share integrated results for vehicle type approval. The newly launched platform runs a variety of vulnerability testing techniques, like penetration testing, engineering specification testing, and fuzz testing, using test cases mapped out for UN R155/156 and GB (GB/T).

As vehicles become increasingly connected, securing them against cyber threats is paramount. Automotive penetration testing emerges as a vital practice in safeguarding vehicles and ensuring the safety and security of drivers and passengers. By adhering to best practices, collaborating with industry stakeholders, and staying on top of regulatory requirements, automotive manufacturers can build resilient vehicles capable of withstanding the challenges of the digital age.

24 January, 2024 . 6 mins read

Vehicle Tech at CES 2024: The Official Introduction of Software-Defined Vehicles

CES 2024 introduced the world to the new era of software-defined vehicles, signifying the beginning of a massive technology transition in the automotive field. At its CES debut, AUTOCRYPT emphasized the importance of automotive cybersecurity for software-defined vehicles, while demonstrating its security solutions and testing tools for in-vehicle systems and V2X communications.

On January 9, 2024, AUTOCRYPT made its first appearance at CES, the world’s most influential tech event. Taking place conveniently at the beginning of the year, CES is the biggest stage for tech companies across the globe to showcase their innovations of the year. This year, more than 4,000 exhibitors and over 130,000 industry attendees gathered in Las Vegas for the show.

Originally known as the Consumer Electronics Show, the scope of CES has expanded far beyond consumer electronic products and now encompasses all types of technologies used throughout all stages of the value chain. Starting in 2019, the automotive tech industry has been playing an increasingly dominant role at the show, showcasing advanced automotive technologies like electric vehicles and autonomous vehicles.

Vehicle Tech Trend at CES 2024: Software-Defined Vehicles

At CES 2024, vehicle and mobility-related technology accounted for nearly half of the entire exhibition. The automotive industry has now become the center of technology innovations, a phenomenon driven by two major transitions in the industry:

  1. The shift from internal combustion engines to electric motors
  2. The switch from hardware-centric to software-centric vehicular architecture

The first transition was shown in previous CES exhibitions, where manufacturers showcased their latest electric vehicle models and concepts. The share of electric vehicles on the roads has also increased significantly throughout the past few years. CES 2024 brought the focus to the second transition, which has been less apparent to the public. Automotive OEMs and suppliers are now showcasing the latest software-centric architecture, operating systems, platforms, and applications, all of which are based on the fundamental concept of software-defined vehicles.

Breaking Down the Software-Defined Vehicle

What is the SDV?

The term “software-defined vehicle”, or “SDV”, has been widely used within the automotive industry to describe cars whose functionality and features can be upgraded over time through software updates. These cars provide a user experience comparable to smartphones and computers, often equipped with a tablet-like central console that controls all features.

Standardized middleware

The transition to SDVs requires a complete overhaul of the automotive manufacturing process. The transition not only requires the decoupling of hardware and software, but also the ability to perform software updates to specific components without impacting the interoperability of these components with the rest of the vehicle. The AUTOSAR Adaptive Platform is a middleware built for this purpose, allowing different manufacturers to build and update software on a standardized platform. In the end, automotive OEMs will need to dedicate most of their resources to software consolidation rather than hardware assembly.

Growing range of communication protocols

The growing diversity of vehicular applications leads to a growing need for dedicated communication protocols. The fundamental CAN (CAN FD) and FlexRay buses are signal-based communication channels necessary for real-time safety-critical (ASIL-D) use cases, such as braking, steering, airbag activation, and engine control. Yet, these protocols do not carry enough bandwidth for multi-tasking and large-size data transfer. This led to the implementation of many new communication protocols. Ethernet, for instance, is becoming increasingly prevalent in cars as it offers extremely high bandwidth at a cheap cost, best suited for advanced applications. SOME/IP is used to connect ECUs with different sizes, such as the in-vehicle infotainment (IVI), head unit, telematics control unit, and cameras.

Centralized E/E architecture

With the growing number of advanced features, a high-end car can have up to 300 ECUs. This is overly complex to build on a conventional distributed E/E architecture—there is simply not enough room to fit all the cables and wires.

A conventional distributed E/E architecture

To reduce the number of cables and wires while accommodating all the advanced applications, advanced processors like zonal controllers and high-performance computers (HPC) must be adopted. Different from controller-based ECUs, these processor-based ECUs consolidate a wide range of software from different domains and process them on a single central computing unit. Since they can communicate via multiple protocols, functional domains like ADAS, IVI, and body control can all be executed on a single HPC.

A centralized (zonal) E/E architecture
CES 2024: Major chipmakers now making automotive processors for SDVs.

Automotive OS

The complete software stack of a software-defined vehicle is commonly referred to as the “automotive OS”. This contains the HPC, the hypervisor—which allows the HPC hardware to execute both backend applications and the frontend UX, the backend OS (OSEK OS, Linux, QNX), the user OS (Android Automotive – not to be confused with Android Auto), the AUTOSAR Adaptive stack, and the applications—often placed in containers for easy management and update.

CES 2024: Automotive OEMs and suppliers showcase their SDV OS, HPCs, and platforms.

Automotive cybersecurity

As automotive OEMs become software companies, cybersecurity becomes essential. In fact, cybersecurity is an integral component of SDVs, as standardized by ISO/SAE 21434 and regulated by UN Regulations 155/156. When implementing the automotive OS, end-to-end encryption, two-way authentication, and threat detection mechanisms must be incorporated to secure the in-vehicle network and monitor abnormal ECU activities.

Besides embedded security software, automotive cybersecurity must begin at the vehicle development stage, where vulnerability tests like software composition analysis and fuzzing have become legal requirements.

As an industry-leading automotive cybersecurity company, AUTOCRYPT offers a comprehensive cybersecurity solution for software-defined vehicles, covering vulnerability testing, TARA, and embedded security, all of which are custom-built to support all types of communication protocols and platforms. Its latest development – AutoCrypt Security Fuzzer for HIL – enables fuzz testing in hardware-in-the-loop (HIL) simulation environment.

CES 2024: AUTOCRYPT demonstrates its cybersecurity solutions for SDVs.

The Future of SDVs: Autonomous Driving, In-Car Shopping, Shared Mobility

The transition to SDVs is fundamental to autonomous driving, given that autonomous driving software needs continuous updates. Autonomous vehicles continue to be a major topic at CES 2024. What’s different from the past is that there is now a much wider array of use cases for autonomous mobility, from last-mile delivery vehicles to remote-driving tractors.

Other trends that accompany the SDV evolution include the growing number of in-vehicle infotainment features such as online shopping and media consumption, as well as the emergence of purpose-built vehicles made for specific use cases.

CES 2024: The IVI dashboard of an autonomous vehicle (left) and a last-mile delivery vehicle (right)

Ultimately, SDVs are creating a new ecosystem that is attracting all types of technological innovations and opportunities, an ecosystem that is more scalable and adaptable than smartphones. Therefore, SDV-related technologies are expected to dominate the tech industry for many years to come.

28 December, 2023 . 3 mins read

Infographic: 2023 Year in Review

This year was full of innovation and exciting new partnerships. We want to thank our investors, partners, clients, readers, and visitors for your support in 2023. We are looking forward to what 2024 will bring!

Have a Happy New Year !

See below for a summary of AUTOCRYPT’s accomplishments in 2023.

Download PDF

(Accessibility version below)

New solutions:

AutoCrypt TEE – an ASPICE CL2-certified in-vehicle systems security solution that utilizes the trusted execution environment to secure advanced applications like ADAS, IVI, and CCU

AutoCrypt Security Fuzzer for HIL  – an add-on version to the existing Security Fuzzer, the “AutoCrypt Security Fuzzer for HIL” is fuzz test solution optimized for vehicle HIL simulations that helps OEMs detect and report vulnerabilities for safety validation

“TARA Template for Automotive” – a project management tool for conducting Threat Analysis and Risk Assessment (TARA), a process crucial to the development and maintenance of automotive software

EVIQ CSMS for Plug&Charge an add-on tool that will seamlessly guide the deployment and management of Plug&Charge operations, available for charge point operators and e-mobility service providers

AutoCrypt KEY – a tool that enables OEMs and suppliers to efficiently manage all types of cryptographic keys used for the components of connected and electric vehicles. AutoCrypt KEY provides all the key management features needed for automotive production

Major partnerships:

AUTOCRYPT and RWTH Aachen University jointly developed “AutoCrypt Security Fuzzer for HIL”, enabling smart fuzzing in HIL simulations.

AUTOCRYPT and V2ROADS entered a cooperation agreement to deliver a full-stack secure V2X solution to Europe, North America, and South Asia.

AUTOCRYPT joined forces with Hitachi Solutions, Ltd. to provide joint offerings and consulting services covering V2X and in-vehicle systems security to Japanese automotive OEMs and tier suppliers.

AUTOCRYPT partnered with a world-renowned Tier-1 telematics supplier, where AUTOCRYPT integrated its V2X security library into the supplier’s OBU.

AutoCrypt V2X-PKI, a tri-standard compliant SCMS platform, was adopted by a global automotive OEM to manage its SCMS operations under the EU CCMS standard.

Certificates:

ASPICE → AUTOCRYPT was recognized with an ASPICE Capability Level (CL) 2 certification for its AutoCrypt TEE software security platform and its well-established processes in securing in-vehicle systems and software.

Events:

This year we had the chance to connect with partners and clients, as well as showcase our solutions, at some of the most coveted global events in automotive industry.

  • UITP Global Public Transport Summit 2023
  • ITF 2023 Summit
  • ITS European Congress 2023
  • AutoTech Detroit 2023
  • Electric Vehicle Asia 2023
  • IAA Mobility 2023
  • Aachen Colloquium 2023
  • Expand North Star Dubai

21 December, 2023 . 5 mins read

Safety Recall or Software Update? The Transformation of Vehicle Recall

In recent years, automotive OEMs worldwide have garnered attention with large-scale software recalls. Companies like Tesla and Rivian have issued recalls over issues potentially impacting vehicle functions or even jeopardizing driver safety. However, these recalls differ from traditional ones as they are conducted via over-the-air (OTA) updates, eliminating the need for vehicle owners to physically visit service centers. This shift signifies a transformation in the landscape of vehicle software recall.

When does a software recall happen?

When an automotive OEM or a safety regulator discovers a safety-related issue in a vehicle model, transportation authorities, such as the NHTSA, issue a “safety recall,” alerting vehicle owners about the safety risk. Such a decision is made when a vehicle contains malfunctioning components that may pose a safety risk or when a vehicle fails to meet legal standards. Previously, car owners receiving recall letters would have to visit the nearest service center to address the safety concerns.

How does a software recall work?

Today, the scenario has evolved significantly. With the increasing reliance on software for vehicle operations, recalls can now be conducted through over-the-air software or firmware updates.

A software recall functions identically to an OTA update, patching up issues, introducing new features, and making alterations to vehicles remotely, without necessitating a trip to the service center.

To enable OTA updates, cars must incorporate a telematics control unit (TCU) housing mobile communication interfaces, like 4G/5G or Wi-Fi, and memory to store driving and vehicle data. The OEM dispatches the software package to its vehicles from a cloud-based server, with cars downloading and installing updates automatically during regular use. To ensure that the OTA update is executed safely only validated software packets must be received and installed.

Once successfully installed, the vehicle reports its updated status to the OEM’s backend, marking it as updated in the recall system.

The transformation of vehicle recall

In the ever-evolving landscape of automotive technology, the traditional concept of vehicle recalls has undergone a transformative shift. The emergence of over-the-air (OTA) updates has revolutionized how safety fixes are conducted, offering convenience and cost-efficiency for both OEMs and vehicle owners.

In 2023, OEMs are projected to save nearly $500 million in the US through OTA recalls. These savings primarily stem from reduced maintenance and labor costs at traditional vehicle dealerships that historically handled safety fixes during recalls. Simultaneously, vehicle owners save time and money as their cars fix themselves through OTA upgrades, bypassing the need for a dealership visit.

Software recalls have been conducted over-the-air for the past few years. And many ask, “Is it really a “recall” if the problem is getting fixed (patched) through an OTA update?”

A prominent example is Tesla’s recall of over 2 million vehicles performed over-the-air. Tesla’s recall filing said that the company’s advanced driver assistance system, Autopilot, did not have sufficient system controls that prevented driver misuse and could, therefore, increase the risk of crash. As a result, the company had to recall the software in almost all Tesla vehicles in the US. The recall was conducted as an OTA software update that incorporated additional controls and alerts to the current Autopilot system.

The event sparked debates about whether it qualifies as a recall if the vehicle doesn’t require dealership servicing. Tesla’s CEO, Elon Musk, has fueled this debate, advocating for modernizing recall terminology, considering the nature of modern software recalls. He’s referred to labeling OTA software fixes as “outdated and inaccurate” when described as recalls.

Historically speaking, safety recalls have had a slew of negative sentiments associated with the term. On the one hand, the vehicle owners would have to go through the cumbersome task of visiting a dealership and repairing their vehicle, which could sometimes take days. On the other hand, manufacturers would have to incur extra expenses issuing the recall free of charge, as well as to deal with negative press and brand image associated with the safety recall.

Since safety recalls can be conducted seamlessly over-the-air, and do not follow the same process as traditional recalls, should they still be considered “recalls”? Or can they be regarded as “security patches” or, simply, a “software update”?

As we embrace the era of connected vehicles and software-driven functionalities, the race to create the most advanced vehicle is fiercer than ever. Automakers are spending countless resources on developing complex applications to secure the first mover advantage in an increasingly competitive market. As a result, manufacturers have an incentive to roll out new features at a faster pace.

While OTA updates surely allow for a faster innovation cycle in the industry, they may potentially encourage an environment where imperfect software is rolled out prematurely. And if the weight of a “safety recall” is lightened by a change of terminology, will automakers still bear the negative repercussions of rolling out potentially dangerous software and to what extent? Maybe the “safety recall” nomenclature serves as a checks and balances system that ensures OEMs are socially accountable for safety issues in their software.

Regardless of semantics, safety fixes via over-the-air updates present a far more convenient and time-efficient approach to recalls.

While debates persist about the nomenclature surrounding these updates, the undeniable efficiency and effectiveness of OTA recalls mark a significant step forward in automotive safety and maintenance. This evolution reflects not only technological advancements but also a fundamental shift in how we perceive and address safety concerns in the automotive world.

To stay informed about the latest news on mobility tech and software-defined vehicles, subscribe to AUTOCRYPT’s monthly newsletter.  

20 November, 2023 . 6 mins read

5 Futuristic In-Vehicle Infotainment Features in the Age of Software-Defined Vehicles

The automotive landscape is in the midst of a profound transformation. Cars have now entered the realm of digitization, where the competition isn’t solely about design and horsepower, but also the ingenuity of digital features. To keep up, original equipment manufacturers (OEMs) are diversifying their offerings, introducing features that offer a more futuristic and personalized driving experience.

At the heart of this revolution lies in-vehicle infotainment (IVI), an integrated vehicle system merging entertainment and information delivery for drivers and passengers. Its overarching objective is to amplify the driving experience, keeping occupants informed, entertained, and safe. This blog will unveil five of the most cutting-edge vehicle infotainment features flourishing in the automotive sector today. 

AI and Voice Assistants 

The buzz surrounding artificial intelligence has seeped into the automotive domain, with OEMs dedicating colossal R&D investments to create the most advanced automotive AI. While primarily utilized for autonomous driving, AI’s applications extend far beyond. Recent car models feature AI assistants integrated into the vehicle’s infotainment system. These assistants boast advanced language processing, biometrics, and deep learning abilities, enabling them to do an array of different tasks that make the driver’s life easier. These tasks include, but are not limited to, ordering groceries en route, planning trip routes with charging stops, and even orchestrating various vehicle functions.  

Integrating GPTs into AI assistants takes the technology a step further. Unlike conventional voice assistants tethered to predefined tasks, GPTs leverage a vast language model, enhancing its natural language understanding and expanding its abilities as a smart-car assistant. The likes of Mercedes-Benz are utilizing the technology to create AI assistants that act like smart, conversational companions, curating an engaging driving ecosystem. 

NIO in-vehicle infotainment AI voice assistant

Facial Recognition

While cameras within car structures aren’t novel, their application has undergone a significant expansion. Coupled with advanced processing capabilities, new in-vehicle cameras facilitate facial recognition features that multiply infotainment system capabilities. Vehicle cameras now monitor driver behavior, detecting blinking rates and yawning to signal potential fatigue. With the rapid development of driving assistance, features like this are employed as safety measures to make sure the driver does not lose concentration or doze off behind the wheel.  

On top of safety, facial recognition enables seamless vehicle unlocking and authorization for payments through the infotainment system. We can see that common smartphone features are making their way into vehicles as customers expect more convenience and digitization from their cars. Pioneering Chinese car models delve deeper, employing facial recognition for experience personalization. For instance, the futuristic XPENG G3 allows users to select their preferred seat positioning and lighting settings, and uses face recognition to then adjust to personalized settings based on who is at the driver’s seat. 

Gesture Control

Gesture recognition technology, available in select premium vehicles, has transformed the way drivers interact with their cars. This innovation extends beyond the conventional realm of in-vehicle infotainment, introducing an intuitive interface that responds to simple hand gestures. Gesture recognition lets you use a subtle swipe to adjust volume, a flick of the wrist to change music tracks, or a pinch in the air to zoom in on navigation maps. The integration of gesture control not only enhances convenience but also represents a significant leap in fostering a safer driving environment. By minimizing manual distractions, drivers can effortlessly navigate the car’s interface without diverting their gaze from the road, enjoying both convenience and safety. 

Moreover, the ongoing evolution of gesture control technology envisions a future where these intuitive motions go beyond the entertainment realm. Soon, drivers might be able to execute more complex commands with a wave of the hand, accessing vehicle diagnostics, or even initiating communication functions. This paradigm shift in interaction within the vehicle is reshaping the traditional dashboard layout, signaling an era where physical buttons and knobs might gradually become obsolete. 

Unique Entertainment Options 

Automakers are revolutionizing the automotive landscape by crafting distinctive entertainment features to captivate the attention of younger audiences. The range of entertainment offerings is expanding rapidly with some models offering in-car gaming tools, built-in karaoke systems with wireless microphones, augmented reality (AR) and voice tech utilizing interactive user manuals. These pioneering features not only set these vehicles apart from competitors but also redefine the very purpose of a vehicle beyond mere transportation. And as self-driving becomes more widespread, consumers will make purchasing decisions based on the in-car experience, so these entertainment options will become increasingly important. 

AIWAYS in-vehicle infotainment interactive car manual

Dashboard App Diversification 

The digital transformation of vehicles has created an urgent demand for personalization, prompting manufacturers to reimagine the dashboard as a customizable canvas. Thanks to over-the-air systems, vehicle users can now curate their dashboard by downloading applications right into their infotainment systems.  

Seamlessly integrating social media feeds, news updates, or productivity tools directly into the vehicle’s dashboard, modern cars not only cater to individual preferences but also pave the way for an ever-evolving ecosystem within the vehicle, where the driving experience transcends transportation, becoming an extension of one’s lifestyle and interests. This synergy between technology and personalization is revolutionizing the way users interact with their vehicles, morphing cars into smart devices tailored to customer needs. 

Securing the Future of Automotive Innovation 

The evolution of in-vehicle infotainment into a realm of advanced AI integration, facial recognition, gesture control, and diversified dashboard apps marks a seismic shift in automotive technology.  

As cars become digital hubs of connectivity and convenience, the significance of safeguarding these systems against potential cyber threats cannot be overstated. Each innovative feature, while enhancing personalization and convenience, also presents entry points for malicious exploitation. The industry’s focus on robust cybersecurity measures—encryption protocols, intrusion detection, and collaborative standards—are crucial in fortifying these high-tech infotainment features against unauthorized access and exploitation. 

The future of driving isn’t solely about technological sensation, it’s about responsible innovation. Protecting the integrity, privacy, and safety of these advanced infotainment systems is a shared responsibility of all industry participants. 

AUTOCRYPT’s in-vehicle cybersecurity solutions provide complete protection for the vehicle-embedded systems minimizing cybersecurity risks, while facilitating safe and responsible innovation in the industry. 

To stay informed about the latest news on mobility tech and automotive cybersecurity, subscribe to AUTOCRYPT’s monthly newsletter.  

6 November, 2023 . 4 mins read

Trends in Vehicle Vulnerabilities: A 2023 Report

In recent years, the automotive sector has undergone a profound transformation driven by innovation. The past decade witnessed a rapid digitization of vehicles, the ascent of electric powertrains, the advent of software-defined systems, and the ongoing development of autonomous vehicles. These technological advancements have elevated automobiles beyond mere modes of transportation. However, they also made vehicles increasingly susceptible to cyberattacks. Unfortunately, the pace of implementing in-vehicle cybersecurity measures has lagged behind the speed of innovation, leaving modern vehicles at an alarming risk.

A comprehensive study conducted by IOActive has meticulously analyzed the trends in vehicle vulnerabilities, pooling data from 2016 to 2022. This study sheds light on the evolving threat landscape within the automotive industry, classifying data according to various attack vectors, namely local, physical, network, and peripheral RF.

Key Findings:

Networked Connection Attacks: The most striking revelation from the study is the surge in attacks exploiting networked connections, accounting for nearly half of all attacks in 2022. This signifies a prominent shift towards remote cyberattacks targeting vehicles.

Local Attacks: Local vehicle software, including operating systems, Electronic Control Units (ECUs), and Software Bill of Materials (SBOMs), accounted for 40% of disclosed vulnerabilities. This highlights the growing risk of exploiting vulnerabilities within a vehicle’s software ecosystem.

Physical Hardware Attacks: Physical hardware-associated vulnerabilities witnessed a significant decline, plummeting by 15%. This decline can be attributed to the automotive industry’s increasing focus on remote attack vectors.

Peripheral RF Attacks: Intriguingly, a novel category of attack vectors, peripheral RF attacks, emerged, representing 1% of the total vulnerabilities. This indicates the shifting landscape of vehicle cybersecurity needs and the expanding spectrum of threats.

Now, let’s delve into a closer examination of each attack vector:

Local Attacks

Local attacks primarily exploit vulnerabilities within the vehicle’s software ecosystem. Examples include attacks on operating systems, ECUs, and SBOMs. A common local attack is spoofing, where malicious actors send synthetic signals to deceive the vehicle’s systems. Spoofing can lead to incorrect data interpretation, posing substantial risks to vehicle operation and passenger safety.

Over the past decade, local attacks have seen a 6% increase, reflecting the industry’s struggle to defend against software-based attacks, exacerbated by the increasing complexity of software in modern vehicles. Robust in-vehicle security systems are essential to mitigating the risks of local software attacks. Manufacturers must employ effective testing measures to identify and rectify software vulnerabilities.

Physical Hardware Attacks

While physical hardware attacks have experienced a notable decline, they continue to pose a tangible threat. These attacks necessitate the physical presence of a threat agent. An attack on vehicle hardware could provide unauthorized access to critical vehicle components, potentially allowing a takeover of the vehicle.

For instance, a USB attack targeting a vehicle’s infotainment system could compromise the Controller Area Network (CAN). To address these vulnerabilities, vehicle security systems must incorporate robust gateway security measures to protect against hardware-based intrusions.

Networked Connection Attacks

Emerging as a recent development, networked connection attacks exploit far-field RF spectrum, including wireless and cellular connections, backend networks, and vehicle-to-everything communications. Securing messages exchanged through vehicle-to-everything (V2X) communication channels is of paramount importance, particularly as the industry is gearing up for autonomous driving. Ensuring the authenticity of V2X messages is crucial to prevent masquerading attacks, which can disrupt traffic and compromise vehicle systems.

Original equipment manufacturers (OEMs) must implement cybersecurity practices that authenticate information and signals exchanged through V2X communications to mitigate the risks associated with networked connection attacks.

Peripheral RF Attacks

Peripheral RF attacks originate in the near-field RF spectrum, encompassing technologies like NFC, RFID, remote key entry, and on-board telematics. The 1% growth in peripheral RF attacks, as identified by IOActive’s analysis, is largely attributed to vulnerabilities related to Remote Key Entry (RKE) and Bluetooth.

One common manifestation of a peripheral RF attack is a relay attack, notably compromising key fob technology. Such attacks can allow unauthorized access to vehicles and even the ability to remotely start them. These attacks have become one of the most common causes of vehicle theft. In 2022, AUTOCRYPT’s Vehicle Threat Research Lab discovered a high severity (CVSS 8.1) relay attack vulnerability (CVE-2022-38766) in a popular electric vehicle in Europe. To counter these threats, vehicle owners can employ signal-blocking devices, while manufacturers should implement comprehensive cybersecurity measures to monitor and filter traffic at the gateway.

Vehicle attack vectors

In light of these evolving trends and vulnerabilities, it is imperative that advancements in the automotive sector go hand in hand with the development of robust cybersecurity measures.

AUTOCRYPT offers end-to-end vehicle cybersecurity solutions that safeguard vehicles from both internal and external threats, ensuring the continued safety and security of modern automobiles.