The world is now driven by automation, which is facilitated by the internet and its applications. The advancements in the latest technologies have been nothing short of a miracle if compared to the mechanical age a few decades ago. Cars were once considered luxury but now they have become a necessity in all major metropolitan and tier 1 cities of the world. The global wave of smart cars originated from the west with the advent of brands like Tesla. Car manufacturer Tesla has been known for its advanced safety and automated features. The features go to such an extent where the car can drive itself and detect any obstructions on the road and brake accordingly.
Tesla case study
The world leader in smart cars has been in existence since 2003 and launched their first car in 2008, and since then has been working towards fueling cars with green energy like solar, electric and such. Tesla has been the flag bearer for bringing automation to the automobile sector and opening the door to IoT based services in the cars. However, Tesla cars have been targeted by hackers quite often, the attacks rose to such an extent that Tesla started a bug bounty program where the hackers could be paid for finding the vulnerabilities in the car system.
A hacker once hacked a Tesla car by using a wifi dongle, he used a drone and attached a dongle to it, he brought the drone nearly 5 feet close to the car, and then using his tools he was able to successfully connect the car to the dongles and was also able to give the commands to the car and drove it without a driver for nearly 20 miles. Two years down the lane in 2016, the same hacker was able to hack a fleet of nearly 15,000 Tesla cars, he hacked into one of the car and then using an elaborated Modus operandi of cyber attacks he was able to actually make contact with the main Tesla server named the “MotherShip”, which in turn gave him access to 15,000 cars. These are just a few instances of the best car being hacked, however now it is easier for a person to imagine how vulnerable a smart car is. Such penetration tests are now an integral part of the cybersecurity of smart cars and are now being done by all automobile manufacturers.
Norway is the world’s first country to have the majority of its public transport system on electric/ smart vehicles. As of September 2022 65% of vehicles in Norway run on green energy and the nation aims to be completely 100% emission free by 2025, thus becoming the world’s first nation to completely switch to e-vehicles. The Govt of Norway has increased tax on gas fueled vehicles and has provided for tax exemption for e-vehicles. As the nation moves into the wave of green energy, the vulnerability and the cyber security aspect also need to be given due attention in order to create a protected automobile cyber space. Let us now look at some stats which clearly showcase the threats and issues faced by the smart cars –
- The frequency of cyberattacks on cars increased 225% from 2018 to 2022
- Nearly 85% of attacks in 2021 were carried out remotely, outnumbering physical attacks four to one
- 40% of attacks targeted back-end servers
- 2021 saw 54.1% of attacks carried out by Black Hat actors, up from 49.3% in 2020
- The top attack categories were data/privacy breach (38%), car theft/break-ins (27%), and control systems (20%)
- Keyless entry and key fob attacks account for 50% of all vehicle thefts. Thieves only need to be close to the key fob for a Black Hat hacker to pick up and reproduce its signal
- It is estimated that the automotive industry is projected to lose $505 billion by 2024 to cyberattacks
Majority of automobile manufacturers have declared that they will completely switch to green energy fuels in the next 5-7 years, these prominent manufacturers include – Audi, Mercedes, Jaguar, Lamborghini, Dodge, Ford and many more. Most of these brands intend to go into production of smart vehicles right from 2025.
What are the attack vectors for smart cars?
The smart cars have a few vulnerabilities as per their software patch and cyber security mechanism, however the cyber criminals follow a distinct form of approach, where they try to access the car remotely and then further penetrate into the network of systems and communication and try to disrupt the whole network in order to cause damage to maximum no. of vehicles. The following are the attack vectors often used by the cyber criminals in order to gain unauthorized access to the vehicles –
- Attacks against Telematics Systems – Telematics systems allow vehicles to communicate with a remote center and exchange with it the telemetry data and other information. Some car manufacturers already offer their customers telemetry services for a remote diagnostic that could prevent accidental crashes and electronic faults. Attackers could exploit vulnerabilities in these systems to potentially interfere with onboard components, and modify their parameters to alter the response of the vehicle to the driver’s orders.
- Malware exploits – An attacker could inject tailormade malware into some car components, modifying their behavior or triggering a Denial of Service condition. A malware program could be injected in different ways. For example, using a USB stick inserted into an MP3 reader or through wireless technology (wifi, Bluetooth, mobile communication).
- Unauthorized applications – On-board computers can download and execute applications and related updates. A threat actor could tamper with these applications to get malicious code executed on the target vehicle. In a classic supply chain attack, hackers could inject the car with a tainted update that, once installed and executed on the vehicle, could allow attackers to carry out malicious activities.
- OBD(On Board Diagnostic) – Tailormade software could exploit the OBD-II (on-board diagnostics) port for installation. Once the connector is accessed via the CAN bus, it is possible to monitor every component connected to it.
- Door locks and key fobs – An attacker could emulate the presence of access code used by key fobs and door locks to control locks and start/stop for car engines.
The car manufacturers and the Governments across the world need to come together on a common consensus and give equal importance to vehicle cybersecurity as any other. The policies to achieve zero emissions have been quite successful globally however, the aspect of automobile cyber security needs to be incorporated in the same. The government should lay down the security requirements, compliance guidelines and policies so that the indigenous population is also secured of such cyber threats. As we now move into the age of automation and digitization, it is crucial that we take up such issues of cyber security right now as we have the opportunity to be ahead of the criminals in creating a preventive and secured automobile cyber ecosystem.
Author: Mr. Abhishek Singh, Research Associate, CyberPeace Foundation