As modern vehicles become more connected and autonomous, they also become increasingly vulnerable to cyber-attacks. Hackers can exploit software, hardware, and communication systems to gain control of critical vehicle functions. What challenges await modern cyber security in the field of the automotive industry?

The 21st century has brought considerable advances in automotive technology. The average car produced in 2022 contained tens of millions of lines of code, and luxury vehicles may contain hundreds of millions of lines.  The complexity of features within modern vehicle systems increasingly create opportunities for them to be interfered with. Therefore, cyber security in automotive industry has become as important as in other fields of IT. 

Control and access by wire

Today’s cybersecurity challenges are not just stealing cars using RFID, copying a critical signal and repeating it on another device. The technology behind it is much more complex and so are the dangers it faces. Some electronic devices use signal demodulation and are prepared with various protection methods to prevent access to direct car connections (CAN, Ethernet, or FlexRay bus) and cloud connections. 

A typical vehicle contains many communication buses, such as CAN, Ethernet, and FlexRay. Given information about the location of wires and interfaces within the car, an attacker can physically access the data passing between control units. Such action allows the attacker to inject messages controlling the vehicle’s behaviour.

Sometimes it gets physical

There are many examples where the methods of attack are not very subtle. Quite the contrary, they seem very primitive. In 2022, thieves successfully attempted to steal a Range Rover by drilling a hole in its tailgate. By doing so, they connected to the CAN bus and transmitted false messages on the network. These messages allowed them to access the car and, simply drive it away. Fortunately for the owner, the criminals forgot to deactivate the GPS tracker, which helped to locate and recover the stolen property. 

This example clearly demonstrates that the basic CAN architecture lacks any security features (the CAN bus was not designed with security in mind). So additional message-protecting mechanisms within the vehicle, such as anti-replay protocols, are necessary.  

Weak spots of subscription models

More car manufacturers now offer new services in subscription models. For example, a driver may pay to activate heated seats only in colder months or increase the performance of headlights when cornering. Each of the features available within the subscription can be easily activated or deactivated. Such a solution presents the opportunity for hackers to access features without payment.

V2X-related dangers

Many reports of vehicle hacking involve physically connecting to the vehicle buses. However, a vehicle may often be connected to an external vehicle-to-vehicle (V2V) or vehicle-to-everything (V2X) network. This may support the subscription features in addition to over-the-air software updates and other drive-time services such as real-time route optimisation or crash notifications.

Manufacturers also willingly connect their vehicles via the V2X infrastructure, designed to enable data exchange with the vehicle for various purposes, e.g. warning another car to change the route because there is an accident or a big traffic jam ahead, so the feature will enable the driver to change to another road saving several dozen minutes. In reality, the driver will lose not only the time but also the car. In the future, with V2X in widespread use, we can expect such attacks without creating faux traffic jams and faux accidents.

The connection between the vehicle and an OEM server or data cloud can allow a hacker to control aspects of a car remotely or access personal data. This extends the role of cyber security in automotive beyond the vehicle and presents a challenge to protect the safety of the drivers. 

How to protect yourself from vehicle cyber-attacks

To maintain maximum safety measures, the manufacturers of modern cars introduce numerous safety features throughout the vehicle’s design, development, and production processes. Cyber security in automotive does not only lie in their hands.

However, drivers can also take steps to protect themselves, such as avoiding unsecured Wi-Fi networks and being wary of phishing scams. Additionally, they should ensure that their vehicle’s software is up-to-date and that any suspicious behaviour is reported to the manufacturer immediately.

About the author

Michal Rokicki

Project Manager