Cyber-Attack Vectors in the Automotive Sector – Part 2: Data Attacks

In Part 1 of our look at cyber-attack vectors in the automotive sector, we looked at the levels of damage and threat that bad actors could wield against everyone who uses a modern, GPS-guided vehicle by either jamming or spoofing the vehicle’s reception of accurate satellite signals.

Thankfully, that’s a maturing threat, which means mitigation strategies and technology has been in development for some time. And as both vehicles and the environment through which they travel – both roads and roadside infrastructure – gets ‘smarter,’ exchanging data between different vehicles, and between vehicles and the infrastructure, effectively jamming or spoofing an individual vehicle for nefarious purposes is only set to get harder. As such, it’s a threat that’s diminishing fast, and will, with the addition of more technology in our vehicles and roads, one day this century, become too difficult to justify the effort, the time, and the expense.

But with a certain undeniable irony, the move towards greater car-to-car and car-to-infrastructure connectivity and data exchange, while closing down one avenue for cyber-attack, opens up another ever wider. The notion of cars as the subject of data-based cyber-attack would have been unthinkable a decade ago. But we’re moving into an age when a car is going to be in no sense ‘just’ a car. An age when a car is more like a hard drive and digital wallet on wheels. And where there’s data, or where there’s money, the Law of the Nefarious Arms Race will kick in, to make every vehicle on a highway a potential target for the next generation’s equivalent of an email hack.

Connected Cars – Hard Drives On Wheels

The issue of the age will be so-called “connected cars.” That’s a car (or other road vehicle) that sends and receives data as it travels. While at the moment, the US is behind some other nations by percentage of its new vehicles

The Scale of the Field for Cyber-Attack

It’s important not to undersell the scale of this potential cyber-attack problem. While in 2021, only 32% of all American cars were “connected” – sending and receiving data on a regular, if not near-constant, basis – by 2025, that’s set to top 50%. And by 2035, the percentage of new US vehicles that will be connected is predicted to hit 95%. This is a staggeringly rapid expansion of the cyber-attack playing field, expanding from just under a third of all new vehicles to almost all new vehicles with potential data vulnerabilities in under a decade and a half.

And you might wonder how much of a data-threat there can be in a moving car. Every connected car in 2022 can produce up to 25GB of data. Every hour. Admittedly, not all of that will be valuable to potential car-hackers, but the data includes information about the driver, the car, and the passengers.

For comparison and scale, a standard Boeing 787 jet includes around 6.5 million lines of code in its operational programming. A standard connected car in 2019 had around 100 million lines. If you’re fond of number crunching, that’s more lines of code than the 787 and the Large Hadron Collider at CERN. In one vehicle. Multiply that by 95% of the expected 332 million vehicles in America by 2035, and you can forget The Matrix. America’s freeways will be an ocean of code and data, bouncing back and forth like whalesong from vehicle to vehicle and from vehicles to the roadside infrastructure.

The points to note about that are 1) the size and types of the data-targets – both the lines of code and the transmitted data, 2) the relatively unhardened data security that currently comes as standard on vehicles (unhardened so as to keep the cost down, and also potentially to minimize consumer-panic), and 3) the murky responsibility for any code or data hacks.

At the moment, responsibility for ensuring any such hacks are unsuccessful is split between the individual vehicle component manufacturers, the overall vehicle manufacturer, and increasingly, the seller of the vehicle. Wherever there’s a murky responsibility net, relatively unhardened security, and a vast ocean of potential data-targets, you have practically perfect conditions for hackers to play.

Types of Cyber-Attack

As with jamming and spoofing in the case of signal cyber-attack, data cyber-attack comes in two forms. For convenience, we can think of them as code attacks, and data attacks.

Lock The Doors

Code attacks are the things of spy thriller movies or science fiction plots, with the awkward complication that they’re real, and possible, here in 2022.

If you imagine driving down a freeway when suddenly all the door lock, the windows go up, the steering won’t respond to your actions, or the car slams to a dramatic halt (causing the driver behind to ram you) – those are code attacks. The code (hefty as it is) in a connected car is what connects the action of you pressing a button or tapping a screen to the reaction of one or more of the car’s systems, altering their state.

The ’upside’ of these attacks is that they tend to exploit vulnerabilities that are specific to makes and models of vehicle. Hackers couldn’t use a Chevy hack on a Volkswagen’s code – probably. But hackers love a challenge, it’s what gets them out of bed in the early afternoon, and the likelihood is that any especially popular model that launches will be code-hackable fairly soon afterwards – if not, in some cases, before. An additional positive is that as soon as hacks are known about, manufacturers can begin work on patches that can be downloaded to make the vehicle resilient to the particular hack that was used.

100 million lines of code per vehicle. Innumerable functions controlled by the code. By 2035, that’s going to be a lot of patches – always assuming the code hackers don’t go the way of supply chain hackers and start hacking the patches awaiting download, so the seeming solution is actually riddled with further hacks.

This is a fascinating cybersecurity arms race in terms of the technology industry and the inevitability of connected cars. It’s just not that reassuring when you’re driving your family to Disney World.

The point about code attacks though is that they’re more interesting from a technology research point of view than they are from a hacker’s perspective. Yes, technically, with the right code-hacks, you could lock the windows and doors, immobilize the steering, slam on the gas, and drive a happy family of Disney fans off the road and into a ravine.

But why would you? Where’s the money in it? Ideological terrorism may have a use for this kind of code-hacking, but frankly once you’ve flown planes into buildings, going one car at a time is far too labor-intensive to be worth the effort.

Drive and Deliver

The much more likely epidemic of hacking that connected cars could bring is the quieter data hack. Think of it as the most discreet highwayman the world has ever encountered.

Connected cars use apps to deliver their functionality. Apps – as you’ll know if you’ve ever owned a smartphone – retain a lot more data than you’d ever imagine necessary to let them perform their functions.

But in a world where connected cars and infrastructure are the norm, more and more data will be stored in the vehicle’s internal network, and crucially, more and more separate devices like your smartphone may be wirelessly connected to the car’s systems. Data on your location, on the bill payer’s address and card details in terms of entertainment purchases, etc, could well be accessible by the drive-by data-thief.

And if you connect your cellphone to, say, the car’s speaker system, what you have there is a wifi extension between the car and all the data you carry around in your back pocket everywhere. Contacts, photos, passwords, etc. Most of the car’s data exchanges would never involve such details – but to a thirsty data-thief, those connections are golden.

Changing How We See Vehicles

The irony of all this of course is that most people are at least ostensibly very data-protective. At home, they’ll install the most impressive data security they can afford on their computer system. But the nature of the connected car is that it’s very data-rich, mobile, and also – it’s your car. No-one has previously had to think of their car as a data-risk, and the attitude has yet to shift, so there isn’t as yet a huge demand for ruggedized data security in vehicles. The connected car changes the very nature of what a car is and mitigation of data-theft from connected cars has yet to mature.

That maturation will come, and the tech industry should take full advantage of the developing market for rugged connected car data security with end-to-end encryption. While the carmakers take the issue seriously, such high security is likely to remain a paid-for add-on for the foreseeable future.

But for the world as a whole to wake up to the need for mature connected car data security, it will take a good number of cases of car data theft on the road to 2035.