With automobiles becoming increasingly connected, a variety of attacks are emerging: Car thieves abuse keyless entry systems, hackers find new ways to exploit vehicle components, and fraud targets auto financing, automotive cybersecurity experts said in interviews this week.
In September, for example, New York City police raided a car-theft ring that reportedly stole cars using cloned key fobs based on security codes bought online and encoded into a device by a local locksmith. They also used an aftermarket scanning tool, typically used by mechanics, to reprogram targeted cars' ignitions to make them think all the keys had been lost.
The rise in electronic-enabled thefts is only one unintended consequence of the rapid adoption of connected software in the automotive space, says Guy Molho, vice president of products for Upstream, provider of cybersecurity services for the industry.
"Auto OEMs are running to provide their customers with a lot of new capabilities, and these are new surfaces for hackers and attack vectors," he says. "That surface area is just going to grow, because it is no longer just a car — it's a software platform on wheels."
Welcome to the future of connected cars. Potential dangers go beyond alleged digital-enabled car thieves in New York City. In the United Kingdom, another group used a device resembling a Game Boy to fool the keyless entry systems and steal more than 30 Mitsubishi Outlanders in less than three months, according to another report.
A variety of other attacks — from ransomware shutting down car manufacturers, such as Renault and Honda, to a white-hat researcher able to take limited remote control of Teslas — indicate the connectivity that allows high-tech cars to provide new features also represents a massive increase in their attack surface. In 2020, 54.6% of such incidents involved a black-hat hacker, while white-hat researchers were involved in most of the rest, according to Upstream data. A small but growing percentage are owners investigating their own vehicles.
And the number of connected cars continues to grow. Currently, about a quarter of automobiles are connected to a network in some way. By 2025, seven out of every eight vehicles will be connected.
"Cyber threats in the automotive ecosystem are especially worrying due to the potential direct impact on road users' safety and security," Upstream stated in its annual "Global Automotive Cybersecurity Report." "Vehicles themselves can be dangerous; coupled with connectivity, the modern vehicle is particularly [dangerous]."
While the best-known security incident involving an automobile is the 2015 Jeep Cherokee hack that allowed Charlie Miller and Chris Valasek to take control of a car, the most common attacks are attempts to compromise servers that host automotive services (40%), attacks using the key fob or keyless entry (25%), and attacks targeting automotive applications for mobile devices (9%). Attacks that target the infotainment system, use the onboard diagnostics (OBD) port, or target a manufacturer's IT network each make up 6% of cases.
Looking ahead, attempts at mass compromise will become more common and thus target components of the connected infrastructure, says Tomer Porat, lead analyst for Upstream.
"The attack vectors will be servers and exploiting vulnerabilities through the IT infrastructure of the OEM," he says. While some of the issues will come from poor design, others will be caused by human error, according to Porat. "Developers often make mistakes, posting sensitive information on GitHub and other public places, exposing the infrastructure."
The auto ecosystem is also rife with financial fraud, says Frank McKenna, chief fraud strategist and co-founder of Point Predictive, a firm that provides tools to combat financial fraud. Fraudsters, consumers, and even dealers often play fast and loose with applications for car loans to ensure they make the sale. About 80% of lending fraud is committed so a consumer can qualify for a car loan; about 20% involves criminals trying to make a profit, McKenna says.
"The minute that a consumer tells you that they make twice as much money as they are actually making, when they start to lie to you on material facts, then that is fraud," he says. "Fraud can cost auto lenders anywhere from 50 basis points to 3% , if a lender does not have good controls."
Finally, the amount of data produced and consumed by connected cars has grown significantly. A modern connected vehicle will generate gigabytes of data per day, which poses a problems for security controls, says Upstream's Molho.
"Cars produce so much data, so most of the connected vehicles have 5G connectivity to support the amount of data," he says. "With over-the-air updates, they are getting new features all the time, and the data keeps growing."