Last updated March 2023
Average reading time 10 minutes
For a century, motorists had one main security concern: a thief would smash the window and steal the car.
Now, they have other concerns.
In the emerging connected car era, thieves don't need to pick locks to take control of the vehicle. They don't even need to be physically present. And they can do more than steal the car.
Think about it for a minute.
Theoretically, they can turn off key functions like steering or brakes or even use the microphone to listen to conversations.
Let's dig in.
The connected car hack
The connected car hack is the regrettable flipside of the motor industry's digitization: if your car is becoming another IoT device, it can be hacked like any other IoT device.
Indeed, the connected car cybersecurity threat is real enough for even the FBI to make a statement about it in 2019.
Since then, a lot of materials have been published on the web. Ars Technica, in particular, reported significant security vulnerabilities in the automotive industry earlier this year, with modern vehicles' connected services being susceptible to hacks.
Though terrorism and sabotage are possible, experts believe financial crime is far more likely.
Andy Davis, Transport Cyber Security Practice Director at NCC Group, says: "Media reports tend to focus on the physical attacks, but most cyberattacks come from organized crime groups – and they want to make money, not kill the general public."
Car hackers can be expected to use the same methods on PC users.
Ransomware, for example.
Here, criminals will hack into a vehicle, disable it, and demand money from drivers or manufacturers to relinquish control. Davis says: "You get in the car, and a message on the infotainment system says: 'Send money if you want your car to start.' I can also see hackers stealing ID and card details from cars to sell on the black market."
Why is this?
The sheer number of entry points into the vehicle compounds the car's cybersecurity threat. Criminals can sneak in via telematics systems or even the radio.
They can also hack into the many external devices – phones, key cards – that drivers link to the car's electronic control unit (ECU).
Regrettably, car cybersecurity crimes are now rising.
According to Upstream's Automotive Cybersecurity 2022 report, only 75 annual incidents were reported in 2018; in 2021, that number jumped to over 240 incidents. That is a three-fold jump in automotive cybersecurity incidents in four years.
The findings of this report show that 84.5% of automotive attacks were carried out remotely.
Re-thinking connected car cybersecurity
So, without question, the connected car hack is a huge challenge for the motor industry.
It demands a mental re-think from companies traditionally unaffected by cybercrime.
.
So, how can the industry fight back?
According to Deloitte, specialists agree the starting point should be 'security by design.'
Car manufacturers must build security from the start rather than patch 'holes' as they arise. Given the hundreds of suppliers producing parts for today's cars, this will require multi-party collaboration.
The process will start with securing the connected car's firmware and software applications (using public key infrastructure, PKI, and other tools).
But it's also critical to encrypt the data transmitted to and from the car, both at rest and in motion.
There's more.
Of course, this security must extend across the life of the vehicle.
For example, manufacturers should be able to disable connected services during shipping and can deliver over-the-air software updates to prevent data breaches.
The good news is that carmakers are working hard to address the growing threat against connected car security.
Global carmakers (OEMs) are teaming up with security experts to compete in the new automotive landscape. To ensure trust in the ecosystem, they must deliver a strong cybersecurity framework that meets evolving automotive regulations.
The United Nations Economic Commission for Europe (UNECE) WP29 regulation, adopted in June 2020, is moving the industry in this direction by requiring automotive OEMs to integrate vehicle cybersecurity along the entire value chain.
In other words, it's driving a security by design approach.
Related content to automotive cybersecurity:
- A single automotive cyber security standard is coming at last
- 7 Benefits of autonomous cars
- I can't get lost - I'm driving a four-wheeled computer
End-to-End Cybersecurity for Connected Vehicles
Cybersecurity is complex and quickly evolving. Leveraging advanced and proven expertise in digital security and IoT, the Thales Trusted Key Manager provides car makers with support for digital transformation while ensuring the end-to-end security of the automotive ecosystem.
Read more