The top-three carmakers sell only connected vehicles in the United States – and other manufacturers are catching up – creating a massive opportunity for attacks, which black-hat hackers are not overlooking.
(image by Tomasz Zajda, via Adobe Stock)
In 2020, the connected-car market will reach a tipping point, with the majority of vehicles already connected to the Internet when sold in the United States, representing a large base of potential targets for attacks, according to a report released by cybersecurity firm Upstream Security.
The company documented 176 digital, electronic, and cyberattacks aimed at vehicles in 2019, more than double the 78 attacks from the previous year. The incidents ranged from stealing cars by hacking keyless entry fobs to tracking trucks by compromising online fleet services. For the second year in a row, malicious actors conducted more attacks against vehicle systems than security researchers and white-hat hackers, a trend that is unlikely to reverse, says Dan Sahar, vice president of products for Upstream Security.
« The ‘Charlie Miller days,’ where it is only researcher activity — that’s behind us, » he says. « We are seeing hackers with criminal intent now the most significant actor going after vehicles. »
Since 2010, Upstream has compiled data on 388 digital, electronic, and cyberattacks, more than 45% of which occurred in the last year. In April, for example, a hacker found that two GPS services, ProTrack and iTrack, configured accounts with a default password, which many users had not changed, allowing him to access 27,000 accounts between the two services. Access to the accounts reportedly could have been used to remotely turn off an engine, if the car was moving at 12 mph or slower.
The weak passwords were found by a white-hat hacker, but, increasingly, breaches and attacks are fueled by criminals — 57% of attacks are malicious, Upstream found. In one criminal attack, a video shows car thieves stealing a Tesla in less than 30 seconds using a keyless-entry bypass. In another, nation-state attackers linked to Vietnam stole information on 3.1 million Toyota customers.
While attacks that take down entire fleets of cars are theoretically possible, most attacks have focused on crimes that have a payoff in the end: either the theft of the vehicle, as in the Tesla case, or the accessing of consumer information, as happened to Toyota, says Sahar.
« What will likely continue to happen are attacks more in the lines of service disruption, » he says. « Less about threatening human safety but still cause them to feel the impact. Companies that can no longer turn on the engines across their fleet of trucks, for example. Or consumers not being able to unlock their cars in the morning. »
The surge in incidents, which more than doubled in 2019 from the previous year, is due to the proliferation of connected and embedded systems in vehicles as well as the research that has laid the ground for many of the attacks.
When two researchers — Charlie Miller and Chris Valasek — demonstrated in 2015 that a Jeep could be hacked while it was going 70 mph on the highway, connected cars were still relatively rare. That’s set to change.
Already, the top-three carmakers in the US — GM, Toyota, and Ford — plan to sell only connected cars this year, according to a report by the nonprofit Consumer Watchdog. Those three companies make up more than half of cars sold in the United States. Others car manufacturers are on track move to 100% of their vehicles connected to the Internet in the next five years.
Most attacks focus on the keyless entry system (30%), the application servers for the service (27%), the mobile application for the service (13%), or the onboard diagnostic port used by mechanics to service the vehicle, according to Upstream’s report. While keyless attacks, which allow thieves to steal a car, are an easy way to monetize a vulnerable system, because the technique requires proximity, it can only affect a single car at a time. Server attacks, however, could affect millions of cars, Upstream stresses.
« When someone gains access to a telematics server, they then have access to everything connected to it, including apps, data, and all the connected vehicles, » the company stated in its report. « This can lead to multi-vehicle or fleet-wide attacks, which are extremely risky to all parties involved, from OEMs to telematics service providers, and companies who manage fleets to the drives themselves. »
Because there is little that consumers can do to secure their cars, the manufacturers have to step up. They have done so somewhat slowly. The industry created its own information sharing and analysis center in 2016, and many companies have started paying for vulnerability information. Tesla kicked off a bug bounty program in 2014. General Motors followed suit in 2016, Toyota in 2018, and Ford just last year.