The auto industry’s digital transformation is causing its cyberthreat exposure to grow in parallel, according to a newly-released report.

VicOne’s annual Automotive Cyberthreat Landscape report detailed how more than 40% of data breaches targeted third-party providers of services and diagnostics, and suppliers of automotive components. This includes manufacturing companies and providers of services or logistics, as well as part makers, it said.

“Most connected vehicles link to OEM or third-party cloud services to access services and data,” the report says. “While this design architecture appears logical and essential, it also introduces new challenges.

“In a blog post published in January 2023, Sam Curry, a web application security researcher, and his team demonstrate how they were able to access the back-end cloud infrastructure of different OEMs by exploiting vulnerabilities in their telematics systems and APIs. In the case of Mercedes-Benz, they discovered a publicly accessible website built for vehicle repair shops that wrote to the same database as the core employee LDAP (Lightweight Directory Access Protocol) system.”

By registering to that site, the team managed to gain limited access to “sensitive” employee applications, the report added.

“The automotive industry is not immune to the same issues that plague cloud services in the IT industry,” it said. “However, in comparison, the automotive world is not adequately prepared to properly address these problems.”

According to the report, there has been a “substantial number” of common vulnerabilities and exposures identified since 2019–more than 200 each year, and in the first half of this year alone. VicOne said these figures indicate that there has been an increased focus to automotive cybersecurity in recent years.

“As vendors venture into the realm of SDVs [software defined vehicles], this innovation radically transforms the automotive ecosystem and expands the ways vehicles can be used,” the report said. “However, this advancement necessitates enhanced security measures to ensure vehicle safety. A prominent example of this is vehicle data and the expanding automotive data ecosystem, which highlight a gap in definitive guidelines and regulations for securely handling this
facet of the automotive industry.

“The introduction of new features often broadens a vehicle’s potential attack surface. For the automotive industry, especially, further innovation should be tempered with a strong security stance.”

Meanwhile, a bill introduced to the Massachusetts legislature seeks to broaden access consumers and owners have to their vehicle data.

Rep. Daniel J. Hunt (D-District 13) introduced the bill last week. Called the “Access To Motor Vehicle Data Act,” if passed, it would be added under the same chapter as automotive repair legislation. Part of the automotive repair legislation, called the Data Access Law, was approved in 2020 by a voter referendum as part of the growing “right to repair” movement, which claims vehicle owners and independent repairers don’t have access to information and tools necessary to make proper repairs.

The law requires OEMs to create and implement an onboard, standardized diagnostic system anyone could access with or without OEM permission. The new proposed chapter is seemingly an extension of that.

Regions like Maine, Maryland and Quebec, Canada have pushed for more companies to have access to data, but studies such as the one released by VicOne appear to indicate that broadening that access could compromise private data.

It aligns with an objection “right to repair” opponents have been saying for years: that sharing more data makes it more vulnerable to cyber security.

In 2020, an MIT Center for Transportation research science with more than 30 years’ experience in vehicle research sent a letter to Massachusetts lawmakers, urging them to reject the state’s proposed expanded “right to repair” law, House Bill 4302.

“What worries me the most, is that the bill will accelerate society toward a major cyber terrorism threat,” Bryan Reimer wrote in his letter of opposition to the bill. “As 2019 FBI report note ‘The automotive industry likely will face a wide range of cyber threats and malicious activity in the near future as the vast amount of data collected by Internet-connected vehicles and autonomous vehicles become a highly valued target for nation-state and financially motivated actors.’

“Billions of dollars are being invested worldwide to harden vehicle systems to cyber intrusion. The ballot question proposes to allow third parties remote access to vehicle systems as vehicles drive down the roadways. To be clear, this is not simply collecting data from the vehicle, the ballot question specifically
allows commands to be sent to the vehicle (Line 31). This bi-directional, open access model could be an open invitation to cyber terrorism.”

He added that if the legislation were to pass, independent repair shops could also become a cyberattack target.

“An environment where repair shops utilize the same internet connected tools to work on many different vehicles is the perfect arrangement to deliver and spread a ransomware virus to many vehicles,” Reimer said. Let’s not forget that while this legislation excludes ambulances, it includes both police and fire apparatus. Any consideration of this legislation that does not seriously consider these possible externalities is simply a failure of imagination, something of which nation-state actors cannot be accused.”

VicOne’s report found that more than 90% of automotive cyberattacks were not aimed at automakers, but instead third parties (41.3%), dealerships (16.1 percent) and suppliers (33.6%)

“In our analysis of the threat landscape, we noticed that the losses from cyberattacks in the first half of the year exceeded US$11 billion, marking an unprecedented surge compared to the last two years,” said the report. “A closer examination reveals that these cyberattacks predominantly targeted automotive suppliers, indicating a rising trend…. Attackers often find it difficult to penetrate well-protected companies, so they target less vigilant firms instead.

“But OEMs are affected all the same, because of the supply chain disruptions. Consequently, defending systems against cyberattacks is no longer just about securing an individual firm; it is about strengthening the entire supply chain.”

Max Cheng, chief executive officer of VicOne, said the report underscores the need for the automotive industry to focus more heavily on cybersecurity.

“That is something that must be happening continually—building up the processes, building up the organization, building up the talent, building up the entire system—or you will never be able to implement cybersecurity effectively,” Cheng said. “Now is the time for organizations throughout the global automotive industry to get serious about exploring how to build up their capabilities across the important focus areas that our new report covers.”

Images

Featured illustration courtesy of solarseven/iStock