Cars have become rolling electronic devices, most of which are connected to the cloud or at least to a mobile phone. While that connectivity may make life more convenient for vehicle owners, it also can create cybersecurity nightmares for dealers and others.
Vehicles and their APIs –– software that connects vehicles to various services –– have created a surge in cyberattacks, according to a new report by Upstream, an Israel-based cybersecurity firm.
The massive amount of data generated by vehicles has opened new doors for “black-hat” actors to commit cyber crimes, according to Upstream’s report. Black-hat actors are defined as those who attack systems for personal or financial gain or for malicious purposes.
Connected vehicles represent both an opportunity and a risk for dealerships.
In CDK’s 2022 Connected Vehicle Technology survey, 93% of consumers agreed that having connected-car services would make a dealership service department more attractive to them. Connected-car services include maintenance alerts and customized purchase and service offers.
However, 70% were concerned about privacy risks of sharing their data with dealerships. The top reason for that concern was fear of the data falling into the hands of hackers or “other unfriendly entities.”
Those concerns are not unfounded.
The Upstream report notes that black-hat hackers are no longer just lone actors; they are often a part of well-organized and well-resourced global organizations. Some 63% of cyberattacks in 2022 were carried out by black-hat actors, says Haim Kantor (pictured, below left), Upstream vice president for North America.
The use of software APIs to access automotive features and generate additional revenue for auto manufacturers and suppliers has created a huge area of cybersecurity vulnerability, the report finds.
In 2022, there was a massive 380% increase in API-related automotive cyberattacks compared to 2021, says Upstream. Such remote attacks accounted for 85% of all attacks between 2010 and 2021 and 97% in 2022.
“Remote attacks rely on connectivity (such as Wi-Fi, Bluetooth and 3/5G networks) and have the potential to impact multiple vehicles simultaneously,” says the report.
The huge increase in 2022 involved attacks on multiple automakers rather than the handful of automakers or solo automakers victimized in the past, says Shachar Azriel, Upstream's vice president of data. The automakers themselves have accommodated this rise by relying on a growing number of API-dependent income streams, he says, “which make it cheaper and easier to hack cars.”
That includes APIs unlocking additional features such as heated seats and those that create access to services such as car subscriptions. APIs accounted for 12% of cyberattacks in 2022, according to the report.
The party or parties behind such attacks are not always nefarious black-hat players. These vulnerabilities have been attacked by so-called “gray-hat” hackers – those who just want to access the feature or service for free, says the report. For example, in July 2022, after BMW announced it would charge a monthly fee for heated seats, the internet was awash with offers of help hacking the software to obtain a warm seat without paying the automaker for it.
While that may seem harmless, says the report, “gray-hat attackers negatively impact manufacturers’ credibility and revenue by accessing paid services and manipulating systems. Furthermore, the vulnerabilities they expose, and often disclose in forums on the deep and dark web, can be exploited by malicious hackers.”
Popular software-enabled conveniences such remote keyless entry are ripe for cyberattack. In 2022, remote keyless vehicle thefts and break-ins accounted for 18% of total remote incidences, says the report, “often leaving the police and insurers completely in the dark.”
Electric-vehicle charging has also emerged an attack vector that “dramatically changes the way that vehicles are protected,” says Kantor. Attacks on EV charging infrastructure increased 4% in 2022, the report finds. While that may seem like a small number, “when you know the investment that is going into the EV sector by governments and other bodies…this number is just going to increase dramatically,” says Kantor.
The EV charging infrastructure attack vector deserves special attention because it “demonstrates how mobility assets become a high priority (for hackers) due to their impact on thousands of vehicles,” says Azriel.
Another trend Upstream identified in 2022 is a dramatic increase in data sharing on the dark web. Automotive-related discussions on the dark web surged 35% in 2022 compared to the previous year and were largely related to attacks on modern vehicles and software components, the report says. The most popular topic was source code and data leakage, and leaked databases. Infotainment hacking and car-hacking tools and tutorials were also top discussion topics.
This info sharing is critical because it “can decrease the mitigation time between discovering the vulnerability or a security breach on the deep and dark web and the time it reaches the masses and can be exploited by security actors,” says Azriel.
In 2023, Upstream sees several cybersecurity themes rising to the top. Fleetwide attacks will increase across the entire mobility system because of the potential for massive financial gain, says Kantor.
Attacks on EV charging infrastructure, already prominent, will expand to local grids, while gray-hat actors, including vehicle owners themselves, will become more active in trying to hack features and subscriptions, predicts Upstream.
New cybersecurity regulations are being passed and implemented, and players including automakers, suppliers, dealers and vendors need to have a vehicle security operation system, or vSOC, in place in case of an audit, says Azriel.
Auditors expect to see “the ability to ingest and monitor data from your fleet,” he says. They will also want to see the methodology to deal with cybersecurity, including a playbook and long-term road map.
“Start simple and have a long-term vision,” advises Azriel.