Automobile innovation has turned old bangers into sleek, tech hubs on wheels. Yet for all the good that it’s brought about, innovation has led computer-savvy drivers right into the oncoming path of cybersecurity attacks; as found in the recent data of Atlas VPN and Upstream Security.
A steady trend toward connected, autonomous, shared, and electric vehicles has transformed automobiles into mobile computing platforms, lending to a better ownership experience.
However, because of these advances, many new cyberattack vectors have appeared. All of these technologies, including keyless entry, remote start, remote shut down, and mobile applications for cars, can be exploited as intrusion points.
Moreover, automotive cyber-attacks are potentially more harmful than cyber attacks on computer or phone devices since they can physically put the victim in danger.
So, in reality, how concerning are automotive-related cyber incidents? To provide an answer to this question, Atlas VPN points towards the recently published data of Upstream Security. The data analysed over 900 automotive cyber-incidents from 2010 until the end of 2021, revealing that the most common result of auto cyber-attacks is a data or a privacy breach.
According to the findings, nearly 40 per cent of incidents in the past 12 years caused victims’ identities to be exposed in some capacity. Depending on the severity of the leak, information revealed in a data breach can be as simple as an email address or as sensitive as credit card details.
Perhaps more concerning is the second-most common result of an automotive cyber incident: 27.9 per cent of them result in car theft or a break-in.
Many expect top-notch security when purchasing a vehicle with advanced technologies, but cybercriminals can take advantage of those systems.
Control of car systems comes in at third on the list, with 24.2 per cent, meaning nearly a quarter of intrusions enabled hackers to control the majority if not all the functions within the vehicle.
This is also one of the more distressing findings since it can endanger the driver and passengers if they are in a moving car at the time of the incident.
With the introduction of autonomous driving, it is uncomfortable to contemplate how far criminals could take such car-system control take-overs.
Almost a thousand incidents in more than ten years are no reason for drivers to be paranoid. Yet, the worrying fact is that more than 50 per cent of all reported automotive-related cybersecurity incidents took place during the past two years alone.
Most common attack vectors
Whilst the most common results of automotive-related cyber incidents are understood, it’s also worth understanding the road cybercriminals take to carry out these attacks.
There are several attack vectors for connected vehicles. However, some are more common than others. The figures of automotive cyber incident attack vectors are depicted in the graph below.
Over 40 per cent of cyber attacks were carried out by hacking into the servers. While it might not seem like a big deal at first glance, hacking into OEMs’ servers is significant.
Most OEMs’ servers are in charge of command and control services. This means they can operate vehicle operations remotely by sending commands like “lock” and “unlock” to a car’s doors, starting the engine, and more.
As a result, if these servers are hacked, drivers and passengers may be at risk.
Moving on to the next most common attack vector, we see keyless entry or key fob at 26.3 per cent.
It’s not surprising that fraudsters focus on methods that provide entrance into the car since their attacks are nearly always financially motivated. Even if they are unable to steal the vehicle itself, they can run off with car equipment or the victims’ personal belongings.
In the third spot on the list of most common attack vectors, we see Electronic Control Units (ECUs) and Telematics Control Units (TCUs) at 12.2 per cent.
While ECU is self-explanatory, TCU refers to the embedded system on a vehicle that connects it to the telematics server, enabling vehicle tracking, telemetry collection, remote commands, and additional services.
Mobile applications (7.3 per cent) and infotainment systems (5.7 per cent) also make the top five list of the most common intrusion points into connected vehicles.
In the words of Jaguar Land Rover CEO, Sir Ralf D Speth: “In a connected world, cybersecurity is as fundamental to your safety as the brakes.”