A three-year study by IOActive’s Cybersecurity Division has found half of vehicle vulnerabilities could allow cyber attackers to take control of a vehicle - and 71 per cent are ‘easy to exploit’.
The research, detailed in a whitepaper, Commonalities in Vehicle Vulnerabilities, is based on real-world security assessments. Technologies which could be exploited include cellular radio, Bluetooth, wi-fi, companion apps, vehicle to vehicle (V2V) radio, onboard diagnostic equipment, infotainment media and Zigbee radio.
The white paper provides a metadata analysis of the many private vehicle security assessments IOActive has conducted since 2013 and includes an analysis of the impact, likelihood, overall risk and remediation of vulnerabilities IOActive consultants have discovered over the course of thousands of testing hours.
According to report author Corey Thuen, senior security consultant at IOActive, there are some idiosyncrasies between sub-categories of automotive and further between automotive and IoT or ICS/SCADA but, in general, these embedded computers are all using the same technologies under the hood. They all suffer from many of the same problems and challenges.
He continues, “The connected car is forcing automotive companies to become much more than automotive companies. They must now be database managers, cloud providers, enterprise network operators, etc., etc. Taking the car into the future means having to learn all of the lessons that Microsoft, Google, or Apple have learned over the past 15 years. The plus side, however, is that along the way these companies documented the bumps and bruises and now there are really great roadmaps and resources for implementing security.”
Jon Geater, chief technology officer,596 Thales e-Security, said: “To help defend against certain cyber-attacks, and protect the integrity of the supply chain, connected components require clear authentication processes. While vehicle OEMs and their suppliers have recognised that cryptographically-based digital signatures provide the strongest form of authentication, this also necessitates the management and protection of certificates and the underlying keys. The rapid increase in connected components has created the need for broad-scale secure key management, supported by a public key infrastructure.
“Adding even further complexity, vehicle-to-vehicle and vehicle-to-infrastructure communications, although first introduced in 2017 production vehicles, will soon become the norm, requiring manufacturers to identify and implement the necessary technologies to protect drivers, passengers and the wider community from cyber-attackers.”
Thuen concludes, “The technologies needed to protect the connected car against cyber attack are already in existence, they just aren’t being utilised.”
The research, detailed in a whitepaper, Commonalities in Vehicle Vulnerabilities, is based on real-world security assessments. Technologies which could be exploited include cellular radio, Bluetooth, wi-fi, companion apps, vehicle to vehicle (V2V) radio, onboard diagnostic equipment, infotainment media and Zigbee radio.
The white paper provides a metadata analysis of the many private vehicle security assessments IOActive has conducted since 2013 and includes an analysis of the impact, likelihood, overall risk and remediation of vulnerabilities IOActive consultants have discovered over the course of thousands of testing hours.
According to report author Corey Thuen, senior security consultant at IOActive, there are some idiosyncrasies between sub-categories of automotive and further between automotive and IoT or ICS/SCADA but, in general, these embedded computers are all using the same technologies under the hood. They all suffer from many of the same problems and challenges.
He continues, “The connected car is forcing automotive companies to become much more than automotive companies. They must now be database managers, cloud providers, enterprise network operators, etc., etc. Taking the car into the future means having to learn all of the lessons that Microsoft, Google, or Apple have learned over the past 15 years. The plus side, however, is that along the way these companies documented the bumps and bruises and now there are really great roadmaps and resources for implementing security.”
Jon Geater, chief technology officer,
“Adding even further complexity, vehicle-to-vehicle and vehicle-to-infrastructure communications, although first introduced in 2017 production vehicles, will soon become the norm, requiring manufacturers to identify and implement the necessary technologies to protect drivers, passengers and the wider community from cyber-attackers.”
Thuen concludes, “The technologies needed to protect the connected car against cyber attack are already in existence, they just aren’t being utilised.”
