By Andrew Boada, Editor at Large
The number of reported incidents on cyber attacks on the global automotive transportation system grew by some 50 percent last year, according to a report issued last month by Upstream Security, provider of automotive cloud cybersecurity solutions based in Tel Aviv, Israel.
In a 28-page publication entitled “Global Automotive Cybersecurity Report 2019,” the company said the number of reported industry cyber attacks has grown six-fold in the four years from 2015 through 2018. Last year also marked the first time, the company reported, that criminal hacks outnumbered attacks conducted by researchers to test the security of connected vehicles.
Upstream noted while there were just 60 reported cyber attacks last year, many go unreported. It also said and that a single attack can affect thousands of vehicles, companies and consumers and cost more than $1billion. The report predicts that the number will continue to grow very rapidly over the next three years, as criminal hackers become more familiar with connected systems and the means by which to hack become easier and cheaper to obtain.
“A single cyber hack can cost an automaker up to $1.1 billion today,” the report said. “The total cost for the industry, assuming current trends continue, could reach $24 billion by 2023, at which time Juniper Research predicts the number of connected cars to reach 775 million.”
Fleets: third-leading target
According to the report, there have been 170 automotive cyber attacks over the last nine years, with automakers the most frequent target. They were followed, in order, by Tier One Companies (companies that sell components directly to OEMs) and then fleets, ride-sharing companies, and fleet management companies. Train, car rental, car sharing, and insurance companies as well as auto dealerships have also been targeted.
Until last year, so-called “white hat” attacks by researchers outnumbered “black hat” criminal attacks by far. But in 2018, Upstream said criminal hacks exceeded researchers’ attacks for the first time, and by a wide margin.
Attacks can occur both through physical connections, like the onboard diagnostic port (OBD), or remotely via wireless devices. The report also noted that last year wireless hacks accounted for 91 per cent of all black hat attacks. While wireless attacks can be launched from a short range, Upstream said the Internet and mobile phone systems are being used to launch long-range attacks from as far away as another country, raising the specter of possible terrorist attacks.
At least 12 attack entry points
As automobiles become increasingly connected and operate by computerized subsystems, the number of possible access points has increased. Today, according to the report, there are 12 different “vectors” for attacks. The leading is computer servers, which accounted for 21 percent of all attacks over the last nine years. That was followed by remote keyless entry systems (19 percent), the OBD port (10%), mobile apps and infotainment systems (7 percent each), cellular networks (5 percent), Wi-Fi (4 percent), and sensors (3 percent).
The report also identified the leading impacts of automotive cyber attacks. They included:
• Unauthorized control of car systems (28 percent of all attacks)
• Car theft (22 percent)
• Data breach (19 percent)
• Location tracking (9 percent)
• Service or business disruption (6 percent)
• Driver fraud (5 percent).
The report said the most dangerous attacks are those that take over vehicles’ control systems. “While some introduce low physical risk, such as the unlock system, mainly responsible for theft or damage to the vehicle, others can have a real and devastating impact on human lives,” the company warned. Think about such features as the brakes, airbags or acceleration of the vehicle. An attack timed to cause the most damage, for example, while the car is in motion, could be catastrophic, and in certain cases has even been shown to be fatal.”
To protect themselves against cyber attacks, Upstream said companies need a robust combination of cloud, in-vehicle, and network security measures. It also warned that Bluetooth connectivity to cars’ infotainment systems has led to owners of used cars gaining access to previous drivers’ private data, including home address, access codes for a garage door opener, and login information. Upstream noted:
“This new category of incidents can be just as devastating as black hat attacks. While the individuals who find these vulnerabilities might not be intentionally malicious, in terms of data privacy, compliance and customer privacy, the consequences are the same [and] your business may be liable” under reigning privacy laws and regulations.
The report can be downloaded by visiting the company’s website, www.upstream.auto