Connected Vehicle Cybersecurity Threats: Part 1

13 Dec 2022

A look at what to expect in connected vehicle trends for 2023

As newer generations of vehicles equipped with network-connected functionality make it to the roads, the opportunity for various types of threat actors grows. Theft, pranks, or even violence are new possibilities that must be accounted for when engineering a new vehicle. This post aims to cover recent cybersecurity research and past cybersecurity incidents involving connected vehicles.

What is a "connected vehicle"? A connected vehicle is commonly known as a vehicle that can communicate bi-directionally outside of the vehicle's internal local area network (LAN). This can be done in various ways, but the most common case is an embedded cellular modem. Despite recent chip shortages plaguing the automobile industry, the number of connected vehicles expected to be on roads in the coming years is forecasted to vastly increase. [1][2][3]

Connected vehicles play a role in every mode of road transportation. This includes consumer cars, public transport vehicles, transport trucks, agriculture vehicles, and emergency service vehicles. There are many use cases for connected vehicles. Consumer cars benefit from adaptive route planning, emergency communication, diagnostic data logging, and semi-autonomous/fully autonomous control. Industry vehicles benefit from many of the same things but also take advantage of position tracking for fleet management. [1]

Connected Vehicle Key Trends

Connected Vehicles Sales

In 2020, 41% of new car sales worldwide were made up of connected vehicles, totaling approximately 30 million. Connected vehicles have shown to be safer and more feature-rich than their unconnected counterparts, which continues to drive up their popularity. This popularity is predicted to only continue to grow: financial research firm "ABI Research" expects connected car sales to reach an annual 115 million by 2025, four times higher than 2020. [3]

Exposed Vehicles

Despite all the functional benefits of connecting a vehicle outside of its internal LAN, it also opens an entire highway of new attack vectors. These include Wi-Fi, Bluetooth, keyless entry, and other vectors, which we will discuss in part 2 of this blog. The additional attack vectors provide more opportunities and options for thieves. Connecting a vehicle to a network also introduces a significant amount of data, data that is usually stored in datacenters, which are also a potential target for attackers. [1]

Incidents

Between 2010 and 2021 there were approximately 512 publicly reported cybersecurity-related attacks on vehicles The root of these incidents was 232 vulnerabilities, all tracked with common vulnerabilities and exposures (CVE) identifiers, and of these, 139 were identified in 2021 alone. This is a substantial increase from the 33 CVE identifiers identified in 2020. Of the 209 CVE identifiers dated from 2015 to now, 36% have a common vulnerability scoring system calculator (CVSSv3) exploitability score of high, 24% medium, 32% low, and 8% very low. [1]

In part 2 of this blog, we'll take a closer look at automotive attack vectors, the motives behind these attacks, and connected vehicle security.

References:

[1] Upstream Security Global Automotive Cybersecurity Report 2022 – https://upstream.auto/2022report/

[2] How many connected cars are sold worldwide? – https://smartcar.com/blog/connected-cars-worldwide/

[3] What Is Connected Vehicle Technology and What Are the Use Cases? –   https://www.digi.com/blog/post/what-is-connected-vehicle-technology-and-use-cases