What Are the Potential Consequences of Cyberattacks on OEMs?

The automotive industry has drastically changed in the past decade becoming increasingly software driven. However, higher reliance on software comes hand in hand with a higher risk of cyberattacks. This is because a more complicated system backend has more potential entryways malicious hackers can exploit. A cyberattack on an OEM can have dire consequences that may affect sensitive company and customer data, disrupt supply chain operations, and tamper with vehicles produced by the OEM. This blog will explore some of the potential consequences of cyberattacks against OEMs.

Data Breaches

One of the biggest cyber threats to an OEM is a data breach. If an OEM’s system is attacked and a data breach occurs, the stored data could be stolen, compromised, or deleted, leading to various adverse effects on both the customers and the OEM.

During a data breach, malicious hackers can steal confidential customer data, such as personal identification numbers (PINs), social security numbers, medical records, and more. This valuable information can either be leaked or posted on the dark web for purchase. In any case, if the customers’ confidential data is exposed, malicious actors can use it to commit fraud, phishing, or an infinite number of other criminal activities. Not all data breaches are targeted toward retrieving customer data. Sometimes cyber criminals may want to access sensitive company information and steal trade secrets or intellectual property. Some breaches are purely destructive, with hackers accessing confidential data only to destroy it. 

Data breaches are extremely dangerous as they not only compromise data but also lead to a loss of customer trust in the OEM. On top of that, OEMs may face legal consequences or be fined for negligent cybersecurity practices that can end up costing a fortune.

Sometimes a breach into a company’s system may not be limited to stealing sensitive data. Malicious hackers may encrypt the data and request a ransom in exchange for a decryptor. Ransomware is designed to deny a user or organization access to files on their computer. By encrypting these files and demanding a ransom payment for the decryption key, cyber attackers place organizations in a position where paying the ransom is the easiest way to regain access to their files.

In 2021, Kia Motors America allegedly suffered a ransomware attack, where the hackers requested $20 million to decrypt files and not leak confidential data. During the alleged ransomware attack, the OEM’s portals suffered a system outage. This resulted in the disruption of services where customers and dealerships across the country were unable to access their data. While financial damages were never disclosed, this incident ended up damaging the OEM’s reputation.

A cyberattack on an OEM can cause significant harm to customer data, leading to financial loss, legal consequences, and loss of customer trust. As such, it is crucial for OEMs to invest in robust cybersecurity measures to protect themselves and their customers from potential cyberattacks.

Supply Chain Disruptions

Software plays a critical role in making sure the automotive sector’s supply chain operates efficiently and effectively. A cyberattack on an OEM, or any other company within the supply chain, could disrupt the production of components that are critical to the supply chain. This could lead to delays in operations, holding up the delivery of final products down the supply chain. Delays in the supply chain will ultimately slow down the rollout of vehicles to customers. If this happens, not only does the OEM suffer financial losses, but the company’s reputation will also take a major hit. A similar incident happened in 2022, when a supplier of Toyota suffered a cyberattack. As a result, the OEM had to halt production which ended up slashing production outputs by a third.

The effects of a cyberattack on the supply chain can be disastrous, therefore industry regulations like WP29 and ISO/SAE 21434 hold OEMs accountable for enforcing cybersecurity practices. Meaning that OEMs are obligated to make sure that cybersecurity measures are implemented across every company in the supply chain. This includes monitoring and auditing cybersecurity throughout the supply chain to demonstrate enforcement of the regulations at all times.

OEMs need to encourage cybersecurity measures at the base of all IT operations within the company and throughout the supply chain. Implementing cybersecurity measures is not limited to installing sophisticated cybersecurity software. It also includes utilizing encryption and authentication, as well as educating employees on cybersecurity practices that need to be honored in day-to-day operations.

Vehicle System Disruptions

While supply chain disruptions and data breaches have negative consequences on operations, finances, and company image, a cyberattack on a vehicle can escalate into a life-and-death situation.

Modern vehicles run on around 100 million lines of code which enable many advanced features beloved by customers. Unfortunately, hackers can exploit vulnerabilities in complex vehicle software to gain unauthorized access to in-vehicle systems. We have seen reports of hackers breaking into vehicles using car infotainment systems, key fobs, or Wi-Fi dongles. But hackers can also gain access to a car by attacking the OEM’s server. Hackers can inject malware into a company’s server, which can then spread to the vehicle’s systems via over-the-air software updates or other connections. The malware can then allow them to take control of the vehicle’s functions or steal data.

If the OEM system has remote access capabilities, through cellular or Wi-Fi connections, hackers can attempt to exploit vulnerabilities in these connections to gain access to the vehicle’s systems. This can allow them to remotely control the vehicle’s functions, such as acceleration, braking, and steering. If malicious hackers get access to vehicle control this can wreak havoc on the roads and put millions of lives in danger.

Companies must secure in-vehicle systems and conduct regular security assessments to mitigate the risks of vehicle-targeted cyberattacks. The automotive industry can collaborate with cybersecurity experts to stay on top of vehicle cybersecurity regulations and best practices. This can help the industry get access to effective solutions that address emerging cybersecurity risks. For instance, AutoCrypt IVS specializes in securing in-vehicle systems by protecting the vehicle from external attacks, monitoring communications within the vehicle, and responding to any abnormal activities.

The increasing reliance on software in the automotive industry has created new cybersecurity risks. To address these risks OEMs have to prioritize cybersecurity within the company, across the supply chain, and in every vehicle on the road by developing a comprehensive cybersecurity framework. Ensuring cybersecurity should come in multiple levels. First, OEMs must secure internal IT systems and operations. On the second level, OEMs will need to secure the supply chain and encrypt all communications between partner companies. And lastly, employ in-vehicle security measures that will make sure that vehicles are protected against internal and/or external threats.

Who Might Launch Cyberattacks on Connected Cars and Why?

Cyberattacks on connected cars have long been considered a potential threat to the safety of road users and pedestrians. Fortunately, we have not yet seen any reports of major cybersecurity incidents that directly affected safety-critical vehicle systems, mostly because the automotive industry has been preparing for such attacks long before any hackers have had a chance to gain a footstep in the connected car ecosystem, but also because the financial incentives of hacking vehicles have not been appealing enough to make them primary targets.

However, this does not mean that the automotive and mobility industry will not become a primary target in the future. Since 2020, cybercriminals have been frequently crossing the boundaries of IT and stepping into the OT (operational technology) environment, disrupting physical operations at factories, airports, power plants, pipelines, and even hospitals. Likewise, as the connected car ecosystem continues to grow and V2X-based autonomous driving begins to take off, there is an increased possibility that vehicles and C-ITS infrastructure could one day become a primary target of cyberattacks.

Therefore, to keep itself ahead of any potential cybercriminals, it is important for the automotive and mobility industry to analyze and predict who might be the potential perpetrators and why they would want to launch an attack. These predictions can then be used to guide the TARA (Threat Assessment and Remediation Analysis) process, followed by threat modeling and penetration testing.

These are some of the potential threat actors who might be interested in hacking the connected car ecosystem.

Nation States

Along with military strength and economic power, cyber capability has become another hidden force for countries to exert influence on the world stage. Many nation states today target their adversaries with cyber campaigns ranging from espionage and infiltration to DDoS and ransomware attacks. Common targets include government agencies, infrastructure operators, healthcare providers, schools, and businesses. As the connected car ecosystem continues to expand, nation states could target vehicles and roadside infrastructure to gain big data on a country’s road network, including details on the locations of cameras and traffic lights as well as traffic movements. The personally identifiable information (PII) associated with each vehicle owner can also be exploited to launch targeted infiltration and phishing campaigns against high-profile individuals.

In the worst-case scenario of an armed conflict, hostile states could even try to disrupt the C-ITS infrastructure to cause traffic chaos and accidents. Under Vehicle-Infrastructure Cooperated Autonomous Driving (VICAD), vehicles rely on the V2X messages received from roadside cameras and infrastructure for autonomous driving. In such a network, a DDoS attack against any of the crucial infrastructure systems can cause autonomous vehicles to lose cooperative driving capabilities and be forced to switch back to manual and ADAS driving, leading to sudden and unexpected disruptions to traffic on a wide scale.

Hacktivists and Terrorists

Hacktivists are self-organized hackers that target specific governments or organizations to raise public awareness on certain political or social causes. For those who want to target an automotive manufacturer or regional government, launching an attack against the OEM’s connected car fleets or a regional C-ITS infrastructure can be a quick and effective way to make their voices heard. In February 2022, an unknown hacker targeted a supplier of Toyota’s key components, forcing the OEM to shut down operations for 24 hours. In the future, a similar attack might be targeted directly at vehicle fleets.

Whereas hacktivists target organizations, terrorist groups target citizens. Terrorist groups in the future could also launch disruptive attacks against connected cars and road infrastructure to generate fear among the public. In an extreme case, they could even try to take control of an autonomous vehicle remotely and manipulate the vehicle to trigger crashes.

Ransomware Gangs

Ransomware gangs are financially motivated criminals that deploy ransomware on targeted networks to encrypt systems and steal sensitive data. The victims are then forced to pay a ransom if they want their system decrypted or to prevent the stolen data from being released or sold. Just like how these ransomware operators target enterprise networks, it is technically possible for them to infect connected cars with ransomware that locks certain vehicle functions until the victims pay the ransom.

The good news is that the technical difficulty of intruding a connected car system is much higher than that of an enterprise system. Even if the ransomware gets successfully deployed, the ransom payment the attacker can exploit from an individual vehicle owner is very limited. Hence, ransomware attacks against private vehicles remain very unlikely in the foreseeable future. Alternatively, attackers could try to infect the OEM’s servers to disable OTA services and steal the sensitive data of vehicle owners, forcing the OEM to make the payment.

Criminal Groups and Thieves

Criminal groups and thieves can exploit autonomous vehicles and use them as a tool to commit crimes. For instance, they could gain remote control to a parked vehicle and redirect it to a remote area under their control to steal the personal belongings of the owner. They could also control these vehicles for illegal trafficking by hiding cash, weapons, or drugs inside. Nonetheless, despite being a possibility on paper, these tactics are too complex for most criminal groups and are not likely to be exploited anytime soon.

A Well Protected Connected Car Ecosystem

Despite all the possibilities of being targeted by a wide array of perpetrators, connected cars remain the safest tech devices today. Thanks to the advanced planning and early integration of robust cybersecurity measures by the industry, launching any profitable cyberattacks on the connected car ecosystem remains extremely difficult even for the most sophisticated hackers.

AUTOCRYPT has been constantly working with OEMs and suppliers to ensure a safe and smooth transition into the connected car ecosystem. From V2X connections to in-vehicle systems, electric vehicle charging infrastructure to mobility services, AUTOCRYPT protects every endpoint to ensure that cybersecurity risk is kept at a minimum.

To learn more about AUTOCRYPT’s end-to-end solutions, contact global@autocrypt.io.

To stay informed with the latest news on mobility tech and automotive cybersecurity, subscribe to AUTOCRYPT’s monthly newsletter.