Who Might Launch Cyberattacks on Connected Cars and Why?

Cyberattacks on connected cars have long been considered a potential threat to the safety of road users and pedestrians. Fortunately, we have not yet seen any reports of major cybersecurity incidents that directly affected safety-critical vehicle systems, mostly because the automotive industry has been preparing for such attacks long before any hackers have had a chance to gain a footstep in the connected car ecosystem, but also because the financial incentives of hacking vehicles have not been appealing enough to make them primary targets.

However, this does not mean that the automotive and mobility industry will not become a primary target in the future. Since 2020, cybercriminals have been frequently crossing the boundaries of IT and stepping into the OT (operational technology) environment, disrupting physical operations at factories, airports, power plants, pipelines, and even hospitals. Likewise, as the connected car ecosystem continues to grow and V2X-based autonomous driving begins to take off, there is an increased possibility that vehicles and C-ITS infrastructure could one day become a primary target of cyberattacks.

Therefore, to keep itself ahead of any potential cybercriminals, it is important for the automotive and mobility industry to analyze and predict who might be the potential perpetrators and why they would want to launch an attack. These predictions can then be used to guide the TARA (Threat Assessment and Remediation Analysis) process, followed by threat modeling and penetration testing.

These are some of the potential threat actors who might be interested in hacking the connected car ecosystem.

Nation States

Along with military strength and economic power, cyber capability has become another hidden force for countries to exert influence on the world stage. Many nation states today target their adversaries with cyber campaigns ranging from espionage and infiltration to DDoS and ransomware attacks. Common targets include government agencies, infrastructure operators, healthcare providers, schools, and businesses. As the connected car ecosystem continues to expand, nation states could target vehicles and roadside infrastructure to gain big data on a country’s road network, including details on the locations of cameras and traffic lights as well as traffic movements. The personally identifiable information (PII) associated with each vehicle owner can also be exploited to launch targeted infiltration and phishing campaigns against high-profile individuals.

In the worst-case scenario of an armed conflict, hostile states could even try to disrupt the C-ITS infrastructure to cause traffic chaos and accidents. Under Vehicle-Infrastructure Cooperated Autonomous Driving (VICAD), vehicles rely on the V2X messages received from roadside cameras and infrastructure for autonomous driving. In such a network, a DDoS attack against any of the crucial infrastructure systems can cause autonomous vehicles to lose cooperative driving capabilities and be forced to switch back to manual and ADAS driving, leading to sudden and unexpected disruptions to traffic on a wide scale.

Hacktivists and Terrorists

Hacktivists are self-organized hackers that target specific governments or organizations to raise public awareness on certain political or social causes. For those who want to target an automotive manufacturer or regional government, launching an attack against the OEM’s connected car fleets or a regional C-ITS infrastructure can be a quick and effective way to make their voices heard. In February 2022, an unknown hacker targeted a supplier of Toyota’s key components, forcing the OEM to shut down operations for 24 hours. In the future, a similar attack might be targeted directly at vehicle fleets.

Whereas hacktivists target organizations, terrorist groups target citizens. Terrorist groups in the future could also launch disruptive attacks against connected cars and road infrastructure to generate fear among the public. In an extreme case, they could even try to take control of an autonomous vehicle remotely and manipulate the vehicle to trigger crashes.

Ransomware Gangs

Ransomware gangs are financially motivated criminals that deploy ransomware on targeted networks to encrypt systems and steal sensitive data. The victims are then forced to pay a ransom if they want their system decrypted or to prevent the stolen data from being released or sold. Just like how these ransomware operators target enterprise networks, it is technically possible for them to infect connected cars with ransomware that locks certain vehicle functions until the victims pay the ransom.

The good news is that the technical difficulty of intruding a connected car system is much higher than that of an enterprise system. Even if the ransomware gets successfully deployed, the ransom payment the attacker can exploit from an individual vehicle owner is very limited. Hence, ransomware attacks against private vehicles remain very unlikely in the foreseeable future. Alternatively, attackers could try to infect the OEM’s servers to disable OTA services and steal the sensitive data of vehicle owners, forcing the OEM to make the payment.

Criminal Groups and Thieves

Criminal groups and thieves can exploit autonomous vehicles and use them as a tool to commit crimes. For instance, they could gain remote control to a parked vehicle and redirect it to a remote area under their control to steal the personal belongings of the owner. They could also control these vehicles for illegal trafficking by hiding cash, weapons, or drugs inside. Nonetheless, despite being a possibility on paper, these tactics are too complex for most criminal groups and are not likely to be exploited anytime soon.

A Well Protected Connected Car Ecosystem

Despite all the possibilities of being targeted by a wide array of perpetrators, connected cars remain the safest tech devices today. Thanks to the advanced planning and early integration of robust cybersecurity measures by the industry, launching any profitable cyberattacks on the connected car ecosystem remains extremely difficult even for the most sophisticated hackers.

AUTOCRYPT has been constantly working with OEMs and suppliers to ensure a safe and smooth transition into the connected car ecosystem. From V2X connections to in-vehicle systems, electric vehicle charging infrastructure to mobility services, AUTOCRYPT protects every endpoint to ensure that cybersecurity risk is kept at a minimum.

To learn more about AUTOCRYPT’s end-to-end solutions, contact global@autocrypt.io.

To stay informed with the latest news on mobility tech and automotive cybersecurity, subscribe to AUTOCRYPT’s monthly newsletter.

Infographic: Potential Cyberattacks in Connected Cars and Mobility

Cyberattacks in connected cars are becoming an increasing threat. A modern connected car has a highly sophisticated electrical/electronic (E/E) architecture that contains up to 100 electronic control units (ECU) linked through multiple Controller Area Network (CAN) buses. Moreover, vehicle and driving data generated from the internal system are exchanged and shared with outside parties–including the OEM cloud, third-party clouds, smartphones, and other road users–through various forms of connectivity protocols, from satellite and Bluetooth to Wi-Fi and cellular. As a result, the modern vehicle contains a lot of endpoints that may be vulnerable to attackers. To secure a connected vehicle, it is crucial to consider all potential attack vectors that attackers could use, from man-in-the-middle (MitM) attacks to message spoofing.

The below infographic illustrates some of the most common entry points and how they must be secured.

potential cyberattacks in connected cars and mobility infographic 1/3
potential cyberattacks in connected cars and mobility infographic 2/3
potential cyberattacks in connected cars and mobility infographic 3/3

Download PDF

(Accessibility version below)

Entry Point I. Head Unit

The vehicle’s head unit is the closest entry point to its internal system, often containing a mainboard ECU that serves the infotainment system, and a gateway ECU that directs application requests to the CAN bus. If a hacker gains access to the head unit, they are only one step away from gaining control of the CAN buses and ECUs, potentially taking over the vehicle.

Risks? Vehicle hijacking, vehicle takeover

By who? Criminals


AutoCrypt IVS

  • Intrusion detection and protection system (IDPS)
  • ECU protection
  • Vehicle security operations center (vSOC)

Entry Point II. V2X Messages

In the C-ITS environment, V2X messages are transmitted between road participants like vehicles, infrastructure, and pedestrians in real-time. Attackers can attempt to spoof the V2X messages broadcasted from these participants, leading to wrong judgments and even potentially controlling the targeted vehicles. They could also sniff the messages to steal data.

Risks? Vehicle hijacking, vehicle takeover, theft, terrorism, data breach

By who? Nation-states, criminals, thieves


AutoCrypt V2X

  • Message encryption
  • User verification via Security Credential Management System (SCMS)
  • Integrated certificate management

Entry Point III. EV Charging Station

When an EV is plugged into a public charging station, the charging operator collects the owner’s membership and payment card information for transaction processing. An attacker can target the Plug&Charge (PnC) system to steal membership credentials and credit card details, or potentially attack the power grid.

Risks? Data breach, payment card fraud

By who? Nation-states, criminals


AutoCrypt PnC

  • PKI-based Plug&Charge user verification
  • Message encryption
  • OCPP support

Entry Point IV. OBD-II Port

Onboard diagnostics (OBD) tracks a vehicle’s condition and driving behaviour. Such information is used by fleet operators and technicians for management and maintenance. The OBD-II port provides access to information on the powertrain, emission control systems, Vehicle Identification Number (VIN), and all kinds of driving information. When targeting the OBD-II port, an attacker could gain access to these sensitive data and possibly even inject malicious code into the CAN bus.

Risks? Vehicle hijacking, data breach

By who? Nation-states, criminals


AutoCrypt IVS

  • Intrusion detection and protection system (IDPS)

AutoCrypt FMS

  • Secure fleet management through machine learning and AI
  • Proprietary OBD-II units

Entry Point V. Smart Key

Smart keys unlock a vehicle with electronic signals. Unlike keys with buttons, smart keys continuously release signals to allow keyless entry. Thieves could hack the smart key and redirect the signals to unlock and even turn on a car.

Risks? Vehicle theft

By who? Thieves


AutoCrypt Digital Key

  • PKI-based certification and user verification
  • Carsharing and restriction settings

Entry Point VI. Telematics Control Unit

The TCU facilitates all wireless communications between the vehicle and the outside world, normally containing an eSIM, radio data system (RDS), Bluetooth, Wi-Fi, and a V2X connectivity unit. When the attacker access the telematics of a vehicle, possibly by injecting malware through a malicious app on a connected smartphone, they could attack the head unit directly.

Risks? Vehicle hijacking, vehicle takeover

By who? Criminals


AutoCrypt IVS

  • Intrusion detection and protection system (IDPS)

AutoCrypt V2X

  • User verification via Security Credential Management System (SCMS)

What Are Connected Cars and How Safe Are They?

The age of connected cars

Connected cars are no longer a thing of the future – the truth is that many of us are already driving one of these without realizing it. A connected car is a vehicle with internet connectivity and the ability to send and receive data. Since cars have been equipped with Bluetooth and GPS connections since long ago, the transition to internet connectivity is not as noticeable. Vehicles are generally connected in two ways: embedded and tethered. Cars with embedded internet connectivity come equipped with a built-in antenna and chipset to access the internet directly. On the other hand, cars with tethered connectivity connect to another device (i.e. smartphone) to borrow its internet connection.

Prevalent features of connected cars

Some connected features have already become prevalent in most newly manufactured cars. Take the navigation system, for example, a GPS navigation without an internet connection would not be able to provide any real-time information, and tend to show a significant lag at detecting locations. Many of the navigation systems today come equipped with embedded internet connectivity and provide real-time updates on all kinds of information including traffic jams, accidents, prices of nearby gas stations, and weather conditions. Another common feature of cars today is smartphone integration. Almost every vehicle sold in 2020 has Android Auto and Apple CarPlay as available options. This feature allows you to integrate your Android and iOS smartphones with the infotainment system so that you can access the contents of your phone through the infotainment screen. Car buyers today increasingly look for these convenience features for their new car. The infotainment system has become just as important a decision factor as the engine.

The future of connected cars

So far, internet connectivity for vehicles only seems to be a fancy add-on feature for entertainment purposes. Meanwhile, we are at a transition phase where internet connectivity is gradually becoming a necessity. With increased coverage of 5G infrastructure, autonomous driving with preventative safety features will soon kick in as the new standard, making our transportation system smarter. A smart transportation network is sophistically interconnected. Not only will vehicles be connected to our smartphones (vehicle-to-device, V2D), vehicles will connect and communicate with other vehicles on the road (V2V), with pedestrians (V2P), with infrastructures (V2I), and with the power grid while charging (V2G). All these connections are part of the vehicle-to-everything (V2X) network. How do these connections help? A vehicle in the V2X network would be able to automatically avoid physical contact with other vehicles, follow speed limits, and stop at traffic lights, without the need for manual intervention. Indeed, we are still a few steps away from full automation because it requires the active involvement of multiple parties, including governments. Nevertheless, starting from the high-end market, semi-autonomous vehicles will soon dominate our roads.

Click here to see how autonomous driving is classified and which stage your car is at.

Are connected cars safe?

The short answer is yes. Connected cars tend to have smart and preventative safety measures that older cars lack. However, these advanced features are only safe if the system works properly, thus keeping all the connections secured from potential cyberattacks is a crucial part of automotive safety. There is a key difference between IT security and mobility security. In an IT network, you make the connections, then secure them. In a V2X network, you cannot make the connections without securing them in the first place, thus there can be no such thing as an unsecured connection. This is why AUTOCRYPT is a key component of the V2X network. The bad news is that since we are at a relatively silent transition phase, some automakers seem to be lagging behind at adapting to the security standards of connected vehicles. Let’s take a look at this recently disclosed issue.

“Critical security vulnerabilities found on Volkswagen and Ford vehicles”

In early April, Britain-based Consumers’ Association, branded as Which?, teamed up with cybersecurity professionals to examine the connected elements of the two most popular cars in Europe – the Volkswagen Polo SEL TSI Manual 1.0L gasoline, and the Ford Focus Titanium Automatic 1.0L gasoline. The examination resulted in the discovery of several serious vulnerabilities that pose privacy and safety risks to the vehicle owners. First of all, the examiners were able to hack into the infotainment system of the Volkswagen Polo by exploiting a vulnerability found in the electronic traction control system. The infotainment system contains the personal data of the user, including their whole phone contact list, call history, and location history. Another vulnerability involved significant safety concerns. The examiners obtained access to the front radar module by simply opening up the VW emblem from outside the car. Gaining access to the radar system allows hackers to tamper with the collision detection and warning system. This could cause life-threatening consequences, especially if the vehicle were to travel in autonomous mode. The examiners were also able to interfere with the messages sent from the tire pressure monitoring system on the Ford Focus, and trick the system to display that the tires are fully inflated when they are actually flat.

Source: Which?

Only two vehicles were chosen for this experiment. More likely than not, a handful of other vehicles would have similar vulnerabilities. At first glance, these issues may not seem that vital. Some may say, “So what if the collision detection system malfunctions? You are supposed to keep your eyes on the road anyways.”

Indeed, as of now, these issues do not seem that harmful. However, remember that we are still at a transitional stage. As cars gain increased autonomy, such vulnerabilities would no longer be tolerated. You don’t want your vehicle to bump into the wall during remote parking, a feature that most news cars already have today. Mobility security deserves more attention. As consumers, we must treat these issues seriously to help build a better future for transportation.

For more information on how AutoCrypt V2X protects connected vehicles, click here.

How Do Vehicles Connect to the Internet and Why Would Someone Hack Them?

It has only been a little more than a decade since the introduction of the smartphone, yet they have now replaced laptops and desktops as the primary personal computing device. As we become so used to being connected to the Internet anytime and anywhere, more and more “things” now come equipped with such connectivity. One of the most common Internet of Things (IoT) devices are vehicles, but what happens when vehicles connect to each other and infrastructure?

How does vehicle connectivity work?

Most new cars in 2020 come with either embedded (built-in) or tethered (brought-in) internet connectivity, or a mixture of both. Vehicles with embedded connectivity are equipped with a built-in modem to directly receive cellular data, while those with tethered connectivity borrow the driver’s smartphone data to access the Internet (similar to WI-FI hotspots).

Most automakers offer embedded connectivity free trials for a few months, after which the driver would need to pay for continued internet access. This works similarly to a smartphone plan. For instance, AT&Tprovides a connected car data plan at cost per month for coverage in the US and Canada.

Some automakers offer embedded connectivity only for critical functions such as remote control and crash notification, and require tethered internet for all other entertainment purposes.

Whether having embedded or tethered internet connectivity, connected vehicles bring a lot of convenience and joy to the drivers. They have remote control features that allow users to unlock the doors, turn on the engine, and adjust the in-vehicle environment via their smartphone. They allow users to listen to the news, search for information, and access their smartphone all through voice control. In addition, they provide high definition streaming media content for both drivers and passengers.

Why hack a connected vehicle?

Wherever there exists an internet connection, there are security threats. The cyberthreats a connected vehicle system faces are very similar to that of a traditional IT system, in which almost all threat actors are driven by financial or political motives. In the context of a traditional IT system, the three most common objectives of cyberattacks are:

1) to exfiltrate or encrypt data for financial gains (by using the data for phishing and identity theft, selling the data to third parties, or demanding a ransom),

2) to steal intellectual property from adversaries (either businesses or political units), and

3) to disrupt operations and activities of adversaries (either businesses or political units).

In contrast, let us take a look at the most common objectives for someone to attack a car:

Vehicle theft

Believe it or not, vehicle thefts are still common. Over 150,000 vehicles were stolen in California alone in 2018 according to the Insurance Information Institute. Connected cars with smart or digital keys might decrease the chance of theft from unskilled thieves, but could as well increase the chance of theft from high-skilled hackers.

Personal data theft

Connected vehicles collect and store tons of personal data. At the very least, they store the driver’s contact list, call history, calendar, search history, entertainment preferences, driving history, and location data. Some might even store financial information for automatic payment of toll fees and EV charging fees. Attackers who gain the data may use them for identity theft, sell them to third parties, or blackmail the car owner for ransoms.

Personal attack or terrorism

This is perhaps the most concerning risk involving connected vehicles. When used abusively, cars have the potential to cause serious physical damage and death. When a threat actor hacks the system and takes full control of a car, the car becomes a destructive weapon that can be used to target specific individuals or the general public. What’s worse is that such a crime would be very difficult and expensive to solve as cybercriminals are much harder to catch.

Notice that under the third objective, a so-called cyberattack has crossed the line of cyberspace to threaten our physical safety. This has always been the biggest concern of autonomous driving. To prevent criminal groups and terrorists from destroying our transportation system, governments must work with industry experts to establish a complete international regulatory compliance for vehicle security.

In a traditional IT system, we create the network, then secure it. In a connected car system, we secure first, then ride. Having an unsecured car network is essentially the same as having a bridge built with substandard materials. This is why it is critical for us to understand where the weaknesses come from and protect them accordingly. To read more on the specific threats modern vehicles face, click here.

IoT, Connected Vehicles, and Transport Security

IoT, Connected Vehicles, and Transport Security 

As IoT technology advances, we start to wonder if the security around the technology is sufficient enough. The time has come to assume that people with somewhat accessibility to IoT devices know how it should have stronger security than ICT security as it can directly affect and control the devices and cause actual and physical damages when exploited. 

Autonomous Security and Regulative Security

Simply put, there are basically 4 areas that need security in the IoT environment: 1) smart home, 2) smart factory, 3) smart car, and 4) smart energy grid. 

1) and 2) tend to have the nature of being autonomous. Users can decide whether they need IoT implementations and if or when they do, they get to make their own decision of whether their implementations need security applications or not. In terms of factories, it is critical to apply security for the sole reason of safety, however, most of the factories haven’t even applied the existing ICT security as we know it.

This is when autonomous security slowly sprawls in as a form of crisis management. Crisis management in the context of IoT security most likely explains why security, of any sort, is applied only after an accident occurs. This is just like how personal computers are secured nowadays, hence most of the IoT security companies are setting their minds on this method. It’s easier and more convenient, as it resembles the ICT security application method rather than the ideal IoT security we expected. 

3) and 4) rather have the nature of being regulative. 3) not only threatens the safety of oneself but also for others and 4), in order to allow billing (pay-per-use of energy) to be programmed fairer, it is critical to have strict management and security supervision. Therefore, regulatory security can innovatively be applied as a method of pre-emptive security.

After all, being pre-emptive is all about minimizing the risks and threats after deciding to deploy security measures in the very early stages, like when designing the entire system, in the first place. It’s inevitable in order to prevent hazards and unfair charges. It’s similar to constructing private networks for the existing major infrastructures like the nuclear power plants, where they are only operated once enough security has been applied throughout the system and the network. It is established on a nationwide scale as an infrastructure, which is perceived as an integral technology application process.

IoT Security as Life Security

Since IoT is a combination of the existing IT security and OT (operational technology) it has higher risks of suffering from physical damages when failed to protect from threats. Therefore it follows rather stricter rules and regulations compared to OT, which definitely needs closed-security by blocking any risks prior to connection. 

If failed to accomplish proper IT security, the losses are exploited assets at most, however, in OT security, it could end up threatening human lives. Let’s take a look at vehicles. Everything that has to do with insufficient vehicle security threatens safety. Remotely controlling the steering wheel or locking the vehicle, changing the speed and stopping the engine, and manipulating the GPS location – all these examples have actually been carried out by hackers. 

Therefore security in vehicles means more than just protecting the vehicles. Many countries are establishing and practicing vehicle security-related regulations. The US has announced strict regulations such as ‘SELF DRIVE Act’, ‘DoT Guideline’, ‘AV START Act’, and the EU as well with their own ‘EC C-ITS’ business, smart car cybersecurity-related recommendations by ‘ENISA’, in addition to the UK’s ‘Smart Car Cybersecurity Guideline’, ‘Vehicle Security Authentication Framework’ by EC, and ‘Vehicle Cybersecurity Principles’ by ACEA. In China, the government has established the ‘Vehicle Security Committee’ in 2016 and proceeded with its ‘China Cybersecurity Law’ since 2017. 

Vehicle Security is Transport Security 

However, vehicle hacking cannot be completed just by its in-vehicle security features therefore it is more about the overall transport security rather than protecting the vehicle itself. As vehicles become smarter and connected, their ‘simple internet connection’ is transforming to allow the vehicle to become a ‘transport network direct participant’ and now is on its way to universalization thanks to the development of 5G. 

It is critical to deploy V2X (vehicle-to-everything) communications security that is not only related to internal security but also other vehicles and intelligent transport systems like C-ITS. As a matter of fact, it needs to have the capability to support edge computing security, V2D (vehicle-to-device) mobile integration security, V2G (vehicle-to-grid) electric vehicle ecosystem security in order to fully accomplish the vehicle security system. Vehicle security is just like basketball’s full-court press, and it deals with the entire transport system’s safety, via its whole-system approach. 

On the other hand, the existing vehicle security is mostly about securing a simple internet connection, which explains the reason for the deployment of telematics server security, terminal security, and general web security. However, as the vehicle directly starts to participate in the transport network, the security also transforms itself to ‘transport security’. 

Vehicles also become connected to other vehicles, smart roads, and transport systems like RSU and C-ITS via V2X as well as to energy services such as EV charging systems and electrical grid via V2G. It is only feasible when there is technical infrastructure including the existing  ICT security and new technologies such as V2X and V2G, as well as distinct features of EV and PnC (plug-and-charge). In other words, this well explains the high barrier for new entrants to the market. 

The Future of IoT Security

There sure are other areas to look into in transport-related systems. In addition to the developments of vehicles and transport systems like C-ITS, the EV market is foreseen to be taking over the fuel market and expand and grow as much as the potentials of services and technologies. The EV market is not only about the vehicle itself, but also about the energy grid like the smart meter and forms the entire infrastructure. 

The industry also requires a higher level of technologies like ‘internet of things’ authentication or decision making due to the process limitations of central management and efficiency. We believe it’ll eventually lead to the development of BIoT (Blockchain + IoT) and guide the competitive edges.  Therefore, unlike the existing ICT security where issues were resolved by only taking financial responsibilities, IoT security could really have an impact on people’s lives. So the question is – the industry is evolving, but is the security really sufficient?