Cyberthreats Increasingly Emerging in Auto Industry

Article By : Egil Juliussen

Automotive players continue to see an increasing number of cybersecurity attacks across a variety of hardware and software access points.

Automotive players continue to see an increasing number of cybersecurity attacks across a variety of hardware and software access points. A column in early May summarized a lot of cybersecurity trends. Most of the data came from Upstream Security and their yearly reports on automotive cyberattacks.

Upstream just released a new report on cyberattacks in the first half of 2022. This column summarizes and analyzes this report and data from two white papers from Upstream.

Automotive industry cybersecurity is much more complex than PCs, tablets, and smartphones. There are multiple reasons for these complexities, ranging from multiple ECUs and access points to smartphone apps that may connect to both vehicle infotainment systems and cloud services.

Cybersecurity is a difficult problem across the auto industry — today and in the future. Cybersecurity standards and regulations for the auto industry are now in effect and will require continuous and extensive efforts by OEMs and suppliers.

The next table is a summary of Upstream’s cybersecurity data for the first half of 2022. I also reviewed Upstream’s database of publicly reported cybersecurity incidents, which had 129 entries from January through July 2022. Using past years’ seasonality, this projects to over 270 incidents in 2022. The data is available as a searchable database.

Upstream identified two emerging cyberthreats and their potential impact on end users, OEMs, and the entire mobility ecosystem. The automotive industry should worry about these cyberthreats and add solutions as soon as possible:

  • Electric-vehicle charging infrastructure. There will be massive growth in public and private charging stations, and everyone is a potential access point for cyberattacks. The interaction with smartphone apps to authorize and manage charging payment adds further cyberattack opportunities.
  • Connected-vehicle software APIs. Connected vehicles and mobility ecosystem with data-driven revenue streams are growing rapidly. They are also increasingly vulnerable to cyberattacks through software platform APIs.

EV charging infrastructure

The charging infrastructure is just getting started and will expand greatly in the next decade. Based on U.S. Department of Energy data, there are over 47,000 charging stations and nearly 118,000 charging points in the U.S. These numbers will double and probably triple in the next decade or so. Other regions will have similar charging station growth.

These charging stations have wired or wireless communications with multiple connections: the customers’ smartphones, EVs, local communication network (usually Wi-Fi), charging network’s cloud platform, electrical infrastructure, vehicle-to-grid (V2G), and likely other future sources. All of this creates new opportunities for cyberattacks.

Upstream included several examples of cybersecurity issues with charging infrastructure that were identified in 2022:

  • January 2022: Seven vulnerabilities were found in multiple charging stations that allow remote attackers to impersonate charging station admin users and carry out actions on their behalf.
  • February 2022: Russian EV chargers were hacked and disabled by a Ukrainian EV charging parts supplier as part of a cyberwar effort.
  • April 2022: An EV charging station in the Isle of Wight was hacked to show inappropriate content, with some EV owners also experiencing high-voltage fault codes, leaving them stranded.
  • April 2022: A new Combined Charging Stations (CCS) attack technique was found, with the potential to disrupt the ability to charge EVs at scale.
  • May 2022: A rise in hacks of EV charging stations occurred, including ransomware attacks against chargers and EV users.
  • May 2022: There was also a rise in black-hat cyber criminals targeting EV charging stations to make money illegally, surpassing white-hat hackers working with stakeholders.

Upstream also listed previous EV charging cybersecurity problems in its EV white paper:

  • A leading organization showed widespread vulnerabilities in all major charging station brands — essentially showing disregard for best cybersecurity practices. All displayed some level of API authorization override capabilities, allowing for account hijacking. Some did not require any level of authorization for software updating, which would allow black-hat actors to install rogue software without requiring network approval. If such attacks were carried out, hackers could inject messages into vehicles with no security barriers to stop them.
  • Poor oversight during software development has led to dangerous gaps in the global charging stations’ cybersecurity capabilities. Corrupt charging stations across brands, countries, or continents can easily infect entire fleets, leading to profound dangers.
  • An advantage of battery electric vehicles is the low-cost charging capabilities at home. Many of these chargers are connected to a home Wi-Fi network. Some of these connected features were found to be vulnerable in a leading brand. By exploiting a vulnerability, hackers were able to disconnect a charger from a vehicle, charge their own vehicle, and even remove the owners as authorized users.
  • Some charging infrastructures have begun deploying V2G capabilities, which allow bidirectional energy flow between vehicles and power grids. During times of high demand, connected charged vehicles provide power to the grid and manage peak surges. In one incident, a shared Open Charge Point Protocol (OCPP) was used by a Java-based back-end server to communicate between charging stations and EVs. The potential risk was revealed with the discovery of the Log4Shell vulnerability in December 2021. This liability could simulate a denial-of-service (DoS) attack whereby thousands of vehicles can either pull or push power into the grid at the same time. Such manipulation of the protocol could overwhelm the system, resulting in damage to critical infrastructure.
  • Each charging station provides potential network access to all affiliated stations. Some locations are very exposed and provide an easy target for black-hat operators to conduct close range or physical attacks.

To monitor and secure the many EV charging risks, the OEMs will need extensive monitoring via a vehicle security operations center (VSOC) of both vehicles and charging stations. Securing EVs and the charging networks will depend on cloud-based monitoring that can understand charging-specific data to identify individual, regional, or widespread anomalies. It is likely that leading charging station operators will require their own VSOC and need to cooperate and coordinate with OEMs and fleet operators.

Connected-vehicle software APIs

Software platforms use application programming interfaces (APIs) for communication, data transfers, and similar operations. APIs sit between applications, sit between an application and a web server, or act as an intermediary layer that processes data transfer between systems.

APIs offer a simple and efficient interface for expanding functionality and improving the connected-vehicle experience. APIs are becoming core tools for new and fast-growing revenue opportunities for OEMs, suppliers, and technology partners. They provide critical points of connectivity to lower software development time and bring together data and services from a broad and diverse range of systems.

APIs present a pathway for agile data access, better digital experiences that can generate new revenue streams. Applications by OEMs and mobility service providers use APIs to interface with ECU-based systems for key utility and functionality. APIs also facilitate the activation of vehicle features and the delivery of subscription-based services, such as remote unlock, remote start, enhanced entertainment, and other features. Protecting APIs from malicious actors seeking access to mission-critical systems and sensitive data is essential and extremely important.

However, APIs can become a liability and pose one of the greatest threats to the emerging connected-vehicle ecosystem. APIs can trigger actions in the vehicle, making hacking a vehicle possible without needing physical access or being in proximity to the vehicle.

Upstream found several automotive API-based vulnerabilities that made headlines in the first half of 2022:

  • January 2022: A white-hat hacker claimed that he had found flaws in encryption protocols of a large EV OEM that allowed him to easily obtain digital car keys to vehicles and unlock doors, open windows, start cars, and disable security systems.
  • January 2022: Another vulnerability was found in the same EV OEM, allowing attackers to open doors of vehicles, start keyless driving, and interfere with vehicle operation during driving using Grafana1 login access to obtain a token for API calls.
  • April 2022: A hacker tried to connect to multiple vehicles simultaneously through an OEM-approved smartphone application without the knowledge of the vehicle’s owners.
  • May 2022: Some U.S. EV owners reported that they had been able to connect to their new vehicles before they were ever shipped using the mobile application.

The number of automotive API attacks has increased significantly despite OEMs employing advanced IT cybersecurity protections. IT-based solutions are struggling to handle the scope and magnitude of vehicle attacks. These solutions may lack the context and understanding of how vehicle ECUs and software behave and operate.

Creating automotive-centric and API-focused cybersecurity is essential to combat growing hacker activities. This will increase API value for OEMs and their suppliers. It will also avoid the safety and privacy risks from exposing critical back-end and web systems. API security solutions tailored specifically for automotive applications must provide the full range of cybersecurity functionality and contextualize vehicle data to understand how APIs are used and when they are suspicious.

Summary

Upstream Security is a great resource for tracking and understanding automotive cybersecurity trends, vulnerabilities, and new risks. It also has a large cybersecurity product and service portfolio of cloud-based cybersecurity solutions.

Upstream’s mid-year report on emerging cybersecurity threats focused on two new dangers: EV charging vulnerabilities and software API liabilities.

The rapidly growing EV charging infrastructure has a large potential for cybersecurity disruption and will require rapid solution development and deployment. The cyber protection of current charging infrastructure is often deficient. Both OEMs and charging network operators need to cooperate to solve these cyber weaknesses.

The API vulnerabilities are also a growing problem — especially because OEMs and their partners are planning to generate revenue streams from apps and software-as-a-service based on API usage.

Automotive cybersecurity remains a difficult problem despite much effort to create large solution portfolios. Cybersecurity regulations are now in effect across regions, with Europe taking the lead. The U.S. still lags in terms of having automotive cybersecurity regulation and legislation.

Hopefully, NHTSA’s Sept. 7, 2022, release of its “Cybersecurity Best Practices for the Safety of Modern Vehicles” will help. It is an update to its 2016 edition. The document describes NHTSA’s guidance to the automotive industry for improving vehicle cybersecurity.

1Grafana is a multi-platform open-source analytics and interactive visualization web application.

 

This article was originally published on EE Times.

Egil Juliussen has over 35 years’ experience in the high-tech and automotive industries. Most recently he was director of research at the automotive technology group of IHS Markit. His latest research was focused on autonomous vehicles and mobility-as-a-service. He was co-founder of Telematics Research Group, which was acquired by iSuppli (IHS acquired iSuppli in 2010); before that he co-founded Future Computing and Computer Industry Almanac. Previously, Dr. Juliussen was with Texas Instruments where he was a strategic and product planner for microprocessors and PCs. He is the author of over 700 papers, reports and conference presentations. He received B.S., M.S., and Ph.D. degrees in electrical engineering from Purdue University, and is a member of SAE and IEEE.

 

Subscribe to Newsletter

Leave a comment