23 Apr 2021

Common Connected Vehicle Vulnerabilities

Klara Jordan from Blackberry discusses vulnerabilities in connected vehicles.

Connected vehicles, which can contain over 100 independently developed components, are difficult to secure due to the multiple vendors involved in their assembly. The sheer number of international entities participating in the automotive supply chain make enforcing common cybersecurity criterion extremely challenging.

Modern vehicles rely on multiple on-board computers to perform everything from critical system functions to navigation and entertainment. These advancements force car manufacturers to become experts in integrating and developing software. Vehicles are increasingly connecting to the Internet as well, with an estimated 280 million on-road automobiles currently Internet-connected. These factors set the stage for a crisis, automobiles becoming increasingly interconnected while auto manufacturers scramble to find ways to secure vehicle systems.

Common Connected Vehicle Vulnerabilities

Connected vehicles are susceptible to cyber-attacks ranging from simple data theft to highly advanced system hijacking. Some common vulnerabilities and attack vectors include:

  • Hijacking electronic control units (ECU) to disrupt braking, steering, and engine operation
  • Vehicle compromise through a paired smartphone o Vehicle-to-Everything (V2X) and Vehicle-to-Vehicle (V2V) communication vulnerabilities
  • Unintentional data exposure from previously paired devices
  • Over-exposure of personal data (shared with OEMs, rental companies, car manufacturer, etc.)
  • Vehicle vulnerability related to previous owners/renters
  • Reliance on network connectivity for functionality

Securing vehicles from cyber threats becomes increasingly difficult with every additional network connection, electronic component, and software-driven system. Until effective cybersecurity protocols and procedures are incorporated into the design and manufacture of vehicles, modern automobiles are effectively insecure networks.

The United Nations Gets Involved

The United Nations Economic Commission for Europe (UNECE) approved vehicle cybersecurity regulation WP.29 on June 25, 2020. This regulation outlines cybersecurity processes and measures that automobile manufacturers must meet to achieve vehicle type approval from UNECE. The UNECE standards apply to “contracting parties”, which includes many E.U. countries, China, Japan, and Korea. The new standards require automakers to

  • Make efforts to manage vehicle cyber risks
  • Detect and respond to cybersecurity events across vehicle fleets
  • Design systems to be secure throughout the supply and value chains
  • Provide secure software updates to on-board systems for the lifetime of the vehicle

Vehicles that do not comply with these guidelines will not be approved for sale by UNECE.The WP.29 regulations do not instruct automakers on how to implement cybersecurity into their processes. This means auto makers and OEM manufacturers will have to work together to find ways to comply with the regulation. Major industry players are working closely with the standards organization to develop cybersecurity standards, ISO 21434, which takes WP.29 regulations to an implementation level.

While it is encouraging to see the auto industry embracing cybersecurity, the requirement for WP.29- compliant vehicles will not be enforced until July 2024. This delay leaves threat actors years to operate in the largely unregulated and insecure space of connected vehicles