Driven by the promise of new revenue lines and lower production costs, automakers are eagerly transforming vehicles into next-generation application platforms. Increasingly, organizations that manage fleets or have transportation as a core part of their business may opt for “software-defined” capabilities that can be turned on and off over the air, offered on a subscription basis. The bad news is that this new version of smart car ingenuity also increases vehicular attack surface and business risk, experts warn.
Deloitte defines software-defined vehicles (SDV) as they reflect “the gradual transformation of automobiles from highly electromechanical terminals to intelligent, expandable mobile electronic terminals that can be continuously upgraded.”
This means offering bug fixes and improving safety features such as collision avoidance systems and driver assistance via OTA software updates; offer subscriptions for infotainment systems such as music and video streaming or on-board Wi-Fi access; the ability to activate bells and whistles with the push of a button, such as seat heating or autonomous driving; and, perhaps most interesting for fleet managers, continuous telematics and diagnostics, which enable more effective preventative maintenance.
There are also some unexceptional elements of the SDV revolution: not only do manufacturers have the ability to turn features on and off, but they can also remotely disable the car using an ignition interrupt device, when, for example, payments of the loan are in arrears.
The risk of software-defined vehicles is multi-sided
Of course, all this is very futuristic and convenient, but SDVs open drivers to plethora of risks which can result in vehicle theft, physical danger, Distributed Denial of Service (DDoS) attacks of vehicles via remote disable function, subsequent social engineering attacks and more.
The main problem is that this next generation of cars will have fewer platforms and SKUs but more advanced telematics and software interfaces. This results in less rearranging of assembly lines in factories, but a larger code base also means more exploitable vulnerabilities. And with the OTA (over-the-air) capabilities offered by these cars, such attacks could potentially be launched remotely.
In fact, IOActive released a report last year finding that nearly half of all vulnerabilities discovered in 2022 involved network connections, compared to 40% local vulnerabilities and 10% physical hardware flaws. The share of local vulnerabilities have increaseddriven by the exponential increase in code volume in vehicle software stacks, the company said.
“In some ways, software-defined vehicles increase the chances of making a mistake,” says Liz James, senior security consultant at NCC Group, a cybersecurity consultancy that performs vehicle cybersecurity assessments. “The more complex your software stack becomes, the more likely you are to have implementation bugs, and now you also have software installed that may never run, which goes against traditional embedded systems advice.”
It’s not just traditional vulnerabilities in question. As cars move to SDVs, they increasingly resemble cloud infrastructures with virtual machines, hypervisors and application programming interfaces (APIs), and with increased complexity comes the risk of failure, says John Sheehy, senior vice president of research and strategy at cybersecurity consultancy IOAttivo.
“A compromise with the hypervisor completely undermines all the great work that automakers and suppliers have done to create segregation and isolation within vehicle networks between critical and non-critical control systems,” Sheehy says. A compromise of a car’s telematics unit followed by a hypervisor escape, for example, would allow an attacker to control, modify, and manipulate any operations and data in a virtualized electronic control unit (ECU) running on that hardware. “This is an end game for passenger and vehicle safety,” she says.
There is also a privacy risk. Automobile manufacturers collect a wide variety of data from car owners as they operate their vehicles. A proliferation of sensors, microphones, cameras, phones and devices that drivers connect to their cars, car apps, and vehicle telematics allows automakers – including BMW, Ford, Toyota, Tesla, Kia and Subaru – to collect deeply personal data that could be surprising. This includes information on immigration status, race, facial expressions, weight, health and genetic information, geolocation and even in-car sexual activity data, according to a 2023 analysis conducted by the Mozilla Foundation. All this data can then be shared or sold to third parties, often used for marketing.
In February, the Biden administration even warned that such capabilities, in the hands of Chinese automakers, it’s a danger, as they “could collect sensitive data about our citizens and our infrastructure”.
Automakers promote software-defined cybersecurity
The concerns come as security researchers subject SDV architectures and their supporting infrastructure to greater scrutiny. The consultancy SBD Automotive, for example, has carried out continuous penetration testing over the past three years. They found approx a quarter of car vulnerabilities affected off-board infrastructure vehicle support, such as mobile apps and APIs, while 76% directly affected vehicles, including in-vehicle infotainment (IVI), powertrain control unit and gateway to vehicle control systems.
Researchers from the Chinese Internet giant Baidu will present themselves at Black Hat Asia in Singapore in mid-April discuss critical safety issues they are found in self-driving domain controllers used in many smart cars. At last year’s Black Hat USA, cybersecurity researchers demonstrated how they were able to do this activate some features on Tesla vehicles without paying.
This attention from researchers is giving greater impetus to the safety efforts of automakers. IOActive’s report, for example, outlined changes in the vulnerability landscape that the company has found over the course of six years of vehicle evaluations: Overall, automakers have reduced the incidence of critical and high-risk bugs. gravity and made them more difficult to exploit, according to the report. business.
Software-defined vehicles have fewer critical, high-severity defects and are less likely to be exploitable. Source: IOActive
A long road ahead for SDV security
While the vulnerability trends are good news, automakers and their OEM suppliers still need to focus on creating development processes that prioritize security, says Dennis Kengo Oka, senior automotive security strategist at Synopsys Software Integrity Group.
Specifically, companies need to focus on “designing and implementing security controls into these systems from the start [and] establish secure development processes to ensure secure coding and continuous testing to identify issues early and resolve them,” he says.
NCC’s James also notes that using unique cryptographic credentials for each ECU should be a priority. And to ensure Vehicle-to-Cloud (V2C) functionality, manufacturers should adopt a Zero Trust architecture and operate a security operations center that can detect and block anomalous behavior.
Manufacturers must also pay attention to the integrity of their supply chains. If a vehicle manufacturer’s telematics service is compromised by attackers, all vehicles served by that ecosystem are at risk — a significant problem for companies that operate a fleet of vehicles, says IOActive’s Sheehy.
“This type of supply chain attack is a difficult problem to solve,” he says. “In the long term, all high-risk cyber-physical devices, such as vehicles, require a set of supply chain integrity policies.”