In July last year, BMW announced its intention to make heated seats an $18-per-month subscription service.
A week later, a group of hackers called Easy Bimmer Coding claimed they were prepared to help any BMW owner to unlock the subscription-only feature. The majority of today’s cyber-threats are more like the one described above, relatively low-profile offences replicated many times. While being not as eye-catching as taking remote control of a car’s steering and throttle, these mundane instances could be costing the industry an eye-watering sum a year, according to two cyber-security experts. Speaking at an annual mobility conference in Moscow attended by the author, they reflected on current trends in cyber risk for mobility companies.
The average driver’s risk of being attacked is increasing, said Evgeniya Ponomareva, global alliance manager at Kaspersky Lab. In 2022 alone, the number of cyber-attacks have grown by 225% compared to a 134% increase in the number of connected vehicles on roads, according to another report by Upstream Security. By the end of 2023, the global five-year loss from cyber-breaches at automakers, Tier-1 and 2 suppliers and mobility companies may exceed $500Bn, said Vladimir Pedanov, CEO at Autovisor and a member of the UNECE working group on WP.29 standard, referring to a 2019’s forecast by Accenture.
Cyber-crime is scalable
The recent growth of the attacks is partly because of the emergence of new types of malicious actors. The first is what experts call ‘activists’. These are inexperienced felons, often adolescence, who receive detailed instructions in online hacker communities. For example, activists proved to be a major threat in the well-known TikTok Kia Challenge which resulted in four deaths in the US and Australia in 2022.
Yet another category is vehicle owners themselves who want to unlock a car’s paid-for features of their cars, such as the BMW heated seats incident. What these two groups have in common is that most perpetrators lacked the skills to carry out a cyber-breach on their own. Instead, they were instructed by professional hackers. Eventually, less qualifications are needed to launch a successful attack, Pedanov said, which means that cyber-crime is becoming scalable.
Traditional cyber-crime such as stealing personal data or infecting cars with ransomware was also on the rise in 2022. In addition, politically motivated incidents have been increasing since Russia invaded Ukraine, contributing to the damage done to automakers. As TU-Automotive reported in March, Toyota had to temporarily shut 14 of its Japanese production sites after its supplier Kojima Industries was attacked by a group of hackers, thought by many cyber-security experts to be in reaction to Japan’s decision to place more sanctions on Russia.
Security-by-design paradigm On the other hand, the surge in cyber-attacks would not be possible if the companies fully embraced the security-by-design paradigm, Ponomareva said. Too often, however, they rely on the outdated practice of embedding cyber-security features at the end of the development cycle. Today, a typical car contains about 100 million lines of software code made in-house by the automaker, its Tier-1 and 2 suppliers and third parties. Each time an update or add-on is installed, rigorous penetration tests must be performed, she said: “Simply put, an anti-virus cannot protect your car.”
As a result, more weak spots are being identified every year, Pedanov said. As of March this year, MITRE catalogue contained 151 identified critical vulnerabilities. “In February alone, we have determined three previously unknown ones in in-car multimedia systems and head-up units. A number of unregistered vulnerabilities can also be known to hackers.”
Attacks on infrastructure
For 2023, Pedanov predicted a wider range of attack vectors: “Increasingly, the infrastructure around cars will be under threat including BEV charging networks. We also expect that the next big area that hackers will come for will be V2X.”
A local charging station manufacturer confirmed by the phone that cyber-attacks on charging infrastructure do happen from time to time, so most charging service vendors are aware of the threat. “I think all major service providers have security departments qualified to carry out the necessary procedures including penetration testing,” said Maxim Politov, director of development at Corporation PSS. “Do we still need to raise the level of protection? Yes, we do, because, if the stakes are high enough, it would be a difficult task to stop the hackers.”
Having worked closely with BEVs operating on the roads, he was concerned that many vehicles have inadequate levels of security, making them easy prey for criminals: “I agree with Kaspersky that automakers should be more concerned about it. Some cars are virtually open to remote access. Unlike ICE-powered cars, EVs are computers on wheels that need to be rebooted each time the operating system crashes. That is why the security systems need a lot of attention.”