The globally connected car market is expected to grow significantly in the coming years as connectivity innovations transform the automotive industry. Application dependencies, connectivity, and more complex and integrated electronics will only increase these risks as the industry transitions to autonomous vehicles. Failure to address these risks can have a devastating impact on consumer trust, privacy, and customer safety.
OEMs have the important responsibility of ensuring the electric vehicles they build remain as safe as possible. By leveraging the collective knowledge of Electrical Vehicles, cyber security specialists like Upstream. Auto, for example, and OEMs can partner to build vehicle systems that are more secure and offer real-time metrics. Aiming to secure the entire electrical vehicle attack surface.
To this end, we have compiled a list of the seven most common vulnerabilities OEMs must address when building electric vehicles.
Network Connection-Related Risks
Cyber threat actors can take advantage of flaws in vendor implementations. Security has frequently been an afterthought in the design of connected cars and their components, making security an easy target for threat actors who exploit flaws in cellular networks, Wi-Fi, and physical connections. Furthermore, connected cars must be able to trust the components and services to which they are linked since connecting to untrusted devices might also result in breaches.
Digital Key Fob Compromise and Subsequent Theft
Digital keys, wireless fobs, and mobile applications have replaced traditional physical car keys, allowing car thieves to gain unauthorized vehicle access. It does this by intercepting the communication between a smartphone or wireless key fob and the vehicle, extending the range of the wireless signal, and using a device that emulates a wireless key to access the vehicle with the owner’s wireless key fob. I can do it. The owner is still nearby if needed. their car. Managing virtual car keys can be just as difficult as managing physical keys if you do not do it right. Key registration, verification of unlock attempts, and, most importantly, revocation must be handled securely.
Violating, and disablement of Critical Safety systems
Threat actors may control security-critical aspects of vehicle operations. For example, by compromising the cruise control system to operate the steering and braking system.
Risks Introduced by Mobile Device Interface Vulnerabilities
As more and more mobile apps are released by manufacturers to communicate with vehicles, they are becoming targets for threat actors. According to Gartner, 75% of mobile applications fail basic security tests. The number of security vulnerabilities in Android and iOS mobile operating systems is also cause for concern.
SEO’s Neglecting the Baked-In Security Requirement
The automotive industry has little historical experience addressing cybersecurity risks, evidenced by the lack of security built into many software and hardware components of first-generation connected cars. Additionally, there seems to be a lack of proper education on secure coding practices. Rigorous security testing is sometimes lacking or executed late in the product development cycle. Also, to reduce component costs, some safety-critical and non-safety-critical functions can share resources. Designing from the ground up in terms of a hostile environment is the only way to build a secure design system that is resilient over time.
Not keeping EV Software and Security Patches up to date.
As new threats and attacks are discovered, the only effective solution is to easily and safely update the platform deployed in the field. Many of these updates are delivered by distributed software, components, and systems that rely on wireless communications associated with personal computers and present unique security challenges to Electrical Vehicles. Patching regimens should be standard practice written into OEM security policy.
Risk of Personally Identifiable Information being Exposed
As the number of sensors in vehicles rapidly increases, threat actors can acquire personally identifiable information from vehicle systems, such as location data, entertainment preferences, and even financial information.
The manufacturers of Electrical Vehicles often rely heavily on third-party vendors to supply systems, software, and hardware components for their vehicles. However, unless OEMs impose stringent cybersecurity requirements on their suppliers, there is a risk of introducing security vulnerabilities through these components. By partnering with an industry specialist in cyber security, an OEM can effectively address these and other cyber security vulnerabilities inherent to electrical vehicles.
John King currently works in the greater Los Angeles area as a ISSO (Information Systems Security Officer). John has a passion for learning and developing his cyber security skills through education, hands on work, and studying for IT certifications.