Cybersecurity should be keeping automakers up at night. They know outdated technology and software vulnerabilities are the low-hanging fruit for bad actors. They also know hackers can get into a car’s system through its diagnostic port or wireless connection to steal personal information, take control of the vehicle and cause an accident, or trick the driver into giving away personal information or downloading malware.
To address these threats, automakers are taking steps to improve cybersecurity, including strengthening encryption protocols, establishing new regulations and laws, and providing regular software updates to address security issues. Yet some industry data shows there is still more work to be done, especially as we move toward an era of software-defined and connected cars.
Commonalities in Vehicle Vulnerabilities
Security services firm IOActive recently published a robust paper called Commonalities in Vehicle Vulnerabilities to help automakers take a closer look at cybersecurity. The findings laid out in their paper are based on a decade of real-world vulnerability data – derived from thousands of hours of specialized testing on transportation and automotive systems – about the cybersecurity threats today’s vehicles face. According to IOActive in the report’s executive summary, the data allows for a wideband analysis between 2012 and 2022 via data points such as the impact, likelihood, and overall risk of the vulnerabilities they discovered.
Samantha Isabelle Beaumont, Principal Security Consultant at IOActive, led the research described in the paper and presented her findings at escar USA 2022 in Dearborn, Michigan. The presentation was well received, and several attendees were interested in the findings from a security-validation and justification perspective (i.e., they were in positions where this research helped them make a point), Beaumont explained in a follow-on interview. Attendees also showed interest in specific trends noted in the research for future endeavors, such as the introduction of EV and software-defined vehicles. “Feedback on the conference presentation was positive, and attendees requested follow-ups regarding certain raw data points such as how vehicle vulnerabilities were classed in risk, and my thoughts in how personally identifiable information will impact high severity findings in the near future,” she said.
In their summary of technical findings, IOActive noted that the proportion of critical-impact vulnerabilities – e.g., the ability for attackers to take control of a vehicle’s systems remotely – decreased by 15 percent from 2016 to 2018. This resulted in an increase in the distribution of medium and low-impact vulnerabilities, which might include errors and deficiencies in the vehicle’s software that are easily exploited to access sensitive information or the ability for hackers to get into a vehicle’s GPS and track its location and movements.
Ease of Finding vs. Overall Risk
According to IOActive, the automotive industry has seen significant growth in incorporating cybersecurity into the design of their systems, such as running data processes with limited privileges to lower the impact of attacks. They also saw a sharp decrease in physical attacks, mainly due to the industry’s attention on remote-based attack vectors (attacks that are executed remotely, through wireless connections). However, they noted a 2018 early warning indicated that the industry was overly focused on the severity of ease of exploitation when they should have been paying more attention to actual risk.
“There was evidence that whilst the likelihood of vulnerabilities was reducing over time, the total risk of the findings was not,” Beaumont said. Together with the raw data, there were strong indications that the findings being fixed were mainly the vulnerabilities which the industry felt were easier to find, rather than the overall risk they presented in impact, she explained. “This is very, very common to see in the industry and is not an observation that is isolated to automakers,” she added. “If anything, this is usually related to business decisions related to available time, budget, and value for money.”
Beaumont noted that with this research, it is not IOActive’s intention to judge why decisions were made. “This paper’s trends and research are factual points that can allude or correspond to other data points to help make these conclusions,” she said.
Newer Classes of Vulnerabilities: By The Numbers
In their analysis, IOActive identified newer classes of vulnerabilities in modern systems. They saw a significant increase in web-related vulnerabilities (+11 percent), followed by vendor-dependency vulnerabilities (+9 percent), and information disclosure (+2 percent). Overall, IOActive noted an increase in vulnerabilities related to web and vendor dependencies, an interim increase in information disclosure, and decreased issues caused by failure to follow the principle of least privilege and vendor backdoors. The trends they observed from 2018 to 2022 indicate what they called a bounce-back effect, with high-effort vulnerabilities decreasing by six percent and medium-effort decreasing by 11 percent, resulting in a major increase (17 percent) of easily fixable issues.
These trends, according to IOActive, are largely the result of new technologies in modern vehicles and supply chain management. “Although the automotive industry is ‘building better,’ there is an evident disparity in the maintenance and harmonization of new and existing systems,” IOActive wrote in their report.
Attack Chaining
They identified what they called explicit emerging threats, including managing the Software Bill of Materials (SBOMs) and third-party vendors. They also noted that in this category, there’s a tendency to hyper-focus on severe threats, potentially paving the way for attack chaining.
I asked Beaumont for more details on this finding. She explained it refers to how the industry is focused on fixing severe threats (think highest issue first) and potentially leaving more medium- and low-risk threats on the table due to the perception that they are not considered an issue. “By themselves, vulnerabilities typically are less of a threat to large systems – however, attack chaining is a concept where a threat agent exploits multiple vulnerabilities in a series to create one exploit that has a larger, deeper, or more significant impact,” she said. “Chaining can be seen as a type of cyber-attack that uses a combination of multiple cybersecurity vulnerabilities in order to achieve a larger goal.” In other words, in absence of one severe threat, a bad actor may consider chaining three mediums or multiple lows to achieve the same goal.
“Security is an effort in depth and breadth, and the industry is presently risking leaving an attack surface open due to the misconception that only severe threats matter in the context of security,” Beaumont said.
Recommendations & Best Practices
IOActive offered automakers these recommendations:
- Automotive vendors and manufacturers should focus on building cybersecurity into the foundation of their vehicles. This includes incorporating cybersecurity requirements and validation into targeted architectures and within the SBOM and hardware.
- It’s important for automotive manufacturers and vendors to focus on critical-risk and high-risk vulnerabilities.
- However, prioritizing all types of vulnerabilities in automotive cybersecurity, including medium-risk and below, is crucial, as attackers will exploit any weakness. Additionally, third-party vendor management and ensuring adherence to cybersecurity principles are essential for overall vehicle security.
“As the complexity of vehicles grow, so do the complexity of threats facing automakers and consumers,” Beaumont said. “Security should be better built into the pipeline for all those involved, as not only would it make it more manageable, it would also better prepare those involved with the costs associated and changes required to keep things to standards.”
I was curious to know what Beaumont felt was the most concerning discovery in this research. “That things are marginally getting worse with the introduction of new technologies, and the industry is struggling to maintain its resources,” she said. “Ultimately a large shift will be needed to enable the industry to work towards ensuring cybersecurity in future vehicles — in a way that doesn’t massively impact the bottom line for OEMs or consumers.”
Beaumont expressed how she hopes automakers take the positive findings from this research (i.e., their improvements) but also understand their work is not over. OEMs must face the next avenue, which is building in security and ensuring a wider approach to address the concerns and trends raised in the decade re-examination.
“From experience, I would like to see the culture of security make its way more positively in engineering processes, so the stress of keeping things secure reduces for the teams responsible for making things work,” she said. “Security is a partnership, and it takes everyone involved to make it a successful endeavor. Unfortunately, I am seeing a lot of software-development practices applied to hardware-development industries, and the mindset does not mesh well with an industry that usually expects to last between one and two decades. Software traditionally has a shorter lifespan, and the two must work together to find a compromise which is financially viable for the future production of vehicles.”
Connected cars are inherently at risk of cyberattack, which means automakers have the enormous task of ensuring road safety with cybersecurity. Beaumont’s thought-provoking findings offered in this paper are an analysis of lessons learned and an opportunity to do better and build better in the years to come.
