While speeding toward a connected vehicle future, we must prepare for enormous attack surface

Cars are part of our lives, no matter where we are in the world. Thus as an ecosystem of connected vehicles takes shape, we must prepare for threats from cybercriminals, terrorists, nation states, and others seeking to abuse connected car technology, Trend Micro says

Photo: Bigstock

Cybersecurity company Trend Micro announced this week the release of a major new study into connected car security that describes multiple scenarios in which drivers could encounter attacks that threaten the safety of themselves and others.

With more than 125 million passenger cars with embedded connectivity forecast to ship worldwide between 2018 and 2022, and progress continuing to advance towards fully autonomous vehicles, this advancement will create a complex ecosystem comprising cloud, IoT, 5G and other key technologies. It also features an enormous attack surface comprising potentially millions of endpoints and end users, Trend Micro said. 

As the industry develops, there will be multiple opportunities for monetization and sabotage for cybercriminals, hacktivists, terrorists, nation states, insiders and even unscrupulous operators, the report warns. 

Of all 29 attack vectors studied, the overall risk of successful cyberattacks was assessed as Medium. However, as SaaS applications become embedded in the electrical/electronics architecture of vehicles and cybercriminals create new monetization strategies, an evolution in attacks will lead to higher risk threats, according to the company.

The report reveals the scope of the cybersecurity risks examined. Researchers evaluated 29 real-world attack scenarios according to the DREAD threat model, which evaluates how great the damage is to assets; how easy the attack is to launch and replicate; how easy it is to find an exploitable weakness; and how many users might be affected. These attacks could be launched remotely against and/or from victim vehicles, Trend Micro said. 

According to the company, the findings of the report include:

- DDoS attacks on Intelligent Transportation Systems (ITS) could overwhelm connected car communications and represent a high risk.

 - Exposed and vulnerable connected car systems are easily discovered, making them at higher risk of abuse.

 - Over 17% of all attack vectors examined were high risk. These require only a limited understanding of connected car technology and could be accomplished by a low-skilled attacker.

"Our research shows that there are ample opportunities for attackers looking to abuse connected car technology," said Rainer Vosseler, threat research manager for Trend Micro. "Fortunately, there are currently limited opportunities for attacks, and criminals have not found reliable ways to monetize such attacks. With the UN's recent regulations requiring all connected cars to include cybersecurity, as well as a new ISO standard underway, now is the time for stakeholders across the industry to better identify and address cyber risk as we accelerate towards a connected and autonomous vehicle future." 

To protect connected cars, Trend Micro recommended the following:

- Assume compromise and have effective alert, containment, and mitigation processes.

- Protect the end-to-end data supply chain across the car's electrical/electronics network, the network infrastructure, backend servers, and VSOC (Vehicle Security Operations Center).

- Apply lessons learned to further strengthen defenses and prevent repeat incidents.

- Relevant security technologies include firewall, encryption, device control, app security, vulnerability scanner, code signing, IDS for CAN, AV for head unit, and much more.