In January, a teenager in Germany found a vulnerability in third-party software that let him remotely start 25 Teslas in 13 countries, find their locations and determine whether anyone was in the car.

He then was able to access owners’ emails. Hacking an iconic Tesla is way cooler than cracking into some corporate database, right? Luckily, David Colombo is a security researcher, not a criminal. Cars are an attractive target and they’re vulnerable. Researchers have identified vulnerabilities in connected cars for half a decade or more.

While cyber-security has become a strong focus for automakers and their partners, the threat remains high. UN Regulation No. 155 for wheeled vehicles, promulgated in March 2021, identified 69 potential vectors of attack that manufacturers are required to secure. Numaan Huq, senior threat researcher at Trend Micro, says his team has found even more.

One example is cameras and image processing, especially for autonomous systems. He points out that simple hacks such as putting a sticker on a speed sign can confound an AV’s ability to function correctly. “If you have a fleet of vehicle mostly relying on image processing, you’ll have problems,” Huq says.

Lessons from IT

“The car is transforming from a standalone device to a supercomputer with wheels connecting to backend systems and communicating in real time. This is very similar to when computers came out and began to connect to the internet. Just as computer applications eventually moved to the cloud, it’s similar with connected cars. So, we can definitely apply what we’ve learned from the IT world,” says Yurika Baba, solutions manager for Trend Micro.

Securing everything from the vehicle to the cloud to the factory to customer databases is a huge and gnarly task. Huq says that the most critical areas, which are not the low-hanging fruit, are denial of service attacks, hosted third-party software like that shown in Colombo’s demo, reaching the car via back-end servers and vulnerabilities in software and hardware.

Says Baba: “Threat intelligence, how to detect and how to protect, has to be bridged between automotive and IT security. While there are automotive-specific protocols and techniques and procedures, both IT and automotive have to be on same side.”

Better access models

Another lesson from the IT world is building out access models, according to Yash Prakash, chief strategy officer for Saviynt. Just as IT departments set up different levels of permission and tight credentialing for employees, automakers should consider the different roles that might need access to automotive data or systems.

It’s difficult enough to transfer access from the first owner to the second when the vehicle is resold. Car sharing adds more than another level of complexity. Then, there are all the third parties that might need access: the dealership, independent mechanics, fleet owners, friends and family of the owner, the manufacturer itself.

“If you look at how the entire ecosystem will work and what will be captured, this needs a significantly different architecture. It’s not only about capturing information; it needs to be made available to a much larger audience. Building it for scale and storing different types of information becomes critical,” he says.

Prakash thinks there are many architectural approaches that make sense, including validating access with a secure connection to the cloud but access needs to be automated and dynamic. There’s also the matter of who owns and operates the database that contains all this information. Someone must implement a scalable identity warehouse that can securely store all the identity information related to a vehicle.

“It will be tricky in the short term to determine who will build out the infrastructure. It could be built by any of the players: cities, car rental companies, fleet owners or car manufacturer themselves,” Prakash says. “An ecosystem is always better, because it allows for sharing of technology and intelligence. It does become a bit of a challenge to get vendors to participate and share but that’s what pushes the envelope for innovation.”

Keeping control of the data and adhering to the various governmental privacy requirements will be key. Prakash thinks blockchain could provide the kind of secure access and information sharing necessary. Access models should be an upfront priority, according to Prakash. “Auto companies should build access models into a vehicle’s design rather than adding them as an afterthought,” he notes.

Taking it to the chips

Security needs to be applied at all layers, says Robert Schweiger, director of automotive solutions at Cadence. “It’s not one dedicated security measure you need to apply. It’s many things you need to apply to protect the car at all levels.”

Customers that design chips are looking for specific security IP, Schweiger says, such as a root of trust system to support a secure boot. Because hardware manufacturers need to apply security measures in parallel throughout the many layers of automotive software, it’s difficult for them to use off-the-shelf technology. They also need tools and methodologies to check whether their systems are secure.

Noting the trend to push as much intelligence as possible to edge devices like smart sensors and microphones, George Wall, director of product marketing for Tensilica Xtensa Processor IP, Cadence, says: “The best way to future-proof your product is to provide programmability but anything that can execute software can be influenced by a malicious actor. It’s incumbent on providers of processor IP to provide security features.”

Threats may come from third-party software applications, as the Tesla hack illustrates. As automakers move to differentiate themselves with entertainment and apps, they’ll need to be able to keep critical software systems safe from not only today’s apps but from the next generation enabled by 5G.

The common approach is to break the car’s internal domains into secure and non-secure, or trusted and non-trusted, but processors must be able to enforce limited access of non-trusted software to only the resources it needs, according to Wall. However, if processors aren’t programmable, they may not be able to handle future needs. “You need programmability to adapt to new algorithms, new technologies and new standards that come around,” Wall adds.

Smart infrastructure, dumb move

Here’s another easy way for attackers to mess things up: Exploiting lapses by third parties such as vendors. Remember when hackers obtained credit card information from Target using credentials from the retailer’s HVAC vendor? Huq points out that municipalities usually hire third parties to install and maintain connected traffic infrastructure. “Sometimes the integrators leave a cellular modem connected to the box so they can troubleshoot it and work on it remotely, and they’re slack about security,” Huq says.

Tampering with the back end

It’s not only the vehicles themselves that are vulnerable. Disrupting automakers’ operational systems can wipe out millions of dollars in profit. In February 2022, Toyota had to suspend domestic operations because of an attack on a supplier, losing production of 13,000 cars. That same month, Nvidia reported a cyber-security “incident” that impacted operations.

While these attacks weren’t confirmed as connected to Russia’s invasion of Ukraine, the US Cyber-security & Infrastructure Security Agency and the FBI warned businesses to step up efforts to increase their cyber resilience.

Gartner says that, by 2025, criminals will harm or even kill people with attacks on operational technology systems. When Trend Micro set up a fake, smart factory as a honeypot, attacks included malicious cryptocurrency mining, multiple types of fraud, ransomware, regular traffic from unknown scanners and unknown commands to ICS protocol ports.

As this honeypot shows, attack surface for connected and autonomous vehicles is broad and deep, from the automakers’ operational technologies and enterprise systems, through the car and into the streets. The focus for automotive cyber-security will continue to widen.