As the “Internet of Things” revolution continues to accelerate, the connectivity of passenger vehicles is likely to impact average consumers significantly. Today, most vehicle functions including steering, acceleration, braking, and even unlocking the doors are controlled by software that accepts commands from a diverse array of digital systems operating both inside and outside the vehicle. This software contains millions of lines of code, in which there are vulnerabilities that can be exploited by those with ill intent.
FireEye, Mandiant, and iSIGHT analysts reviewed the key threats to interior, exterior vehicle systems, as well as the telematics system. While analyzing the current and potential risks to vehicles, FireEye reviewed published information to assess the threat scenarios, likelihood, and impact. Below are the top five risks created by vehicle software vulnerabilities:
Risk 1: Gaining Unauthorized Physical Access to Vehicles
Close access entry methods that enable unauthorized entry to vehicles are the easiest to conduct and therefore among the most common. They present the most immediate and realistic threat to technology-enhanced vehicles. Many vehicle manufacturers have opted to replace physical ignition systems with keyless systems that utilize wireless keyfobs. Most unauthorized entry methods exploit the wireless communications between the vehicle and the keyfob carried by the driver.
Risk 2: Stealing Personally Identifiable Information
Collecting personally identifiable information (PII) is a high priority for many criminals, hacktivists, and nation state threat actors. Modern vehicles collect significant amounts of PII in the course of their operation and in order to interface with the plethora of after market devices that interface with the vehicle’s operating system. As a result, vehicles can now become an additional attack vector for parties interested in stealing financial information. They could also be interested in accessing pattern of life data—ostensibly innocuous data concerning travel destinations, driving style, and potential speeding or traffic violations. Laws stipulating protection and storage requirements for vehicles are still immature, meaning privacy policies among manufacturers are inconsistent and present vulnerabilities to exploitation.
Risk 3: Manipulating a Vehicle’s Operation Deliberately
Vehicle security researchers Charlie Miller and Chris Valasek demonstrated their ability to hijack the systems of a vehicle while in operation on a St. Louis highway. As vehicles become increasingly connected to the Internet with an ever-growing roster of features and capabilities, we will see an increase in the options available to malicious actors to exploit vulnerabilities inherent in these expanded capabilities.
Risk 4: Using Vehicle Electronic Control Units to Support Malicious Cyber Activity
Today’s average automobile has around 70 ECUs, several networks including WiFi and 4G, and the potential for gigabytes of digital storage. In a practical sense a modern automobile is comparable to a modern computer network that is made up of computers, local and wide area networks (LAN/WAN), and file servers. Malicious activity has continued to follow advances in technology, as we now see with exploitation of mobile devices and infrastructure. It is a plausible extrapolation to consider that cyber threat actors could view the automobile as the next frontier to support malicious activity.
Currently very few vehicles feature the connectivity needed to act as worthwhile command and control nodes for cyber activity. However, as more vehicles are connected to the Internet and other services that all demand greater bandwidth, the possibilities for compromise and hijacking will also rise.
Risk 5: Extorting Victims Through Ransomware Deployment
So far, ransomware has mostly targeted individual users and companies, hoping that ordinary people and firms will pay a few hundred dollars to unencrypt the files on their personal computers. More recently, ransomware has hit hospitals—organizations that may have very little choice to pay if backups are insufficient. Reports indicate some have paid thousands of dollars—in bitcoin—to regain control of their systems. Given this shift in targeting to capture increased revenue, criminals would be incentivized to develop and deploy ransomware to vehicles, given the public’s heavy reliance on vehicles for daily activites, particularly in the United States.
