Cyber Attacks on Connected Cars
‘In the future, customers’ trust in car brands will be measured by how they handle cybersecurity and prevent external attacks,’ says Professor Stefan Bratzel from CAM.
A study titled ‘Automotive Cybersecurity – Consumer Attitudes,’ conducted by the Center of Automotive Management (CAM) in cooperation with Cisco, reveals that cybersecurity has become a key concern for car drivers. Study director Professor Stefan Bratzel from CAM states, ‘For car drivers, cybersecurity is a complex issue accompanied by specific concerns. Manufacturers have significant work to do in this area.’
In this interview, Holger Unterbrink, Technical Leader of the Threat Intelligence team at Cisco Talos, categorises the cyber risks of connected and digitalised cars.
Mr. Unterbrink, there are frequent news reports about cars being remotely hacked and manipulated by cybercriminals. How serious is this danger?
Holger Unterbrink: The good news is that so far, no attacks resulting in physical harm to people have been made public. Successful attacks require extensive specialised knowledge and usually only work with specific car manufacturers. To date, attacks have mainly been limited to proof of concepts (POCs) by security researchers. In the real world, attacks typically aim to steal cars or unlock features without authorisation. In many cases, the primary target is not the car itself, but the manufacturer’s databases and web portals. Nevertheless, manufacturers and suppliers cannot afford to be complacent, as the increasing number of networks and applications are continuously expanding the attack surface. They must implement strict security measures, update them regularly, and communicate these efforts to customers. After all, customers will only invest in a car they plan to use for years if they have sufficient trust in its security.
How much trust do customers have in car cybersecurity?
This is precisely what the study investigated. According to the findings, almost half of Germans fear a cyberattack on their connected car and view software updates as a potential source of manipulation. Nevertheless, more than a third of respondents are confident that car manufacturers are already sufficiently addressing cybersecurity concerns. More than three-quarters of respondents consider this topic to be important.
Where do drivers perceive the greatest dangers?
German drivers consider the manipulation of digital key systems to be the greatest threat, with 46 percent of respondents expressing concern about this. This is followed by the theft of personal data (41 percent) and the manipulation of vehicle functions and safety systems (35 percent). Concerns are comparatively higher among younger drivers and significantly lower among electric car drivers.”
Users’ perceptions are entirely justified; in September, a successful hack of the KIA brand was publicised – but this too was carried out by “white hats,” hackers commissioned to find vulnerabilities.
How will the topic of car cybersecurity develop?
With the increasing digitalisation and networking of vehicles through 5G or Wi-Fi, the potential attack surface is also expanding. The use of online services, streaming apps, video conferencing, and payment systems, as well as the charging of electric cars, increases the risk of hacker attacks. The most frequently used online services are smartphone pairing (46 percent) and traffic data for navigation services (39 percent). 20 percent of respondents regularly use smartphone apps from vehicle manufacturers. However, many drivers currently use only a few of the available connectivity functions.
How high is the risk from a data protection perspective?
So far, the risk of personal data being stolen directly from cars is still relatively low. It is more likely that hackers will attack the central database of the manufacturer or a partner. These databases store information and payment data for thousands of customers, making them a more worthwhile target. Accordingly, the central web interfaces are often the target of KeylessGo replay attacks. As a general rule, you should only enter absolutely necessary data when using an online service in your car, as the data is always stored somewhere.
Are data protection and security issues for buyers?
A third of Germans consider IT security so important that their purchasing decision depends on it. However, only 22 percent rate the quality of cybersecurity in connected cars as good. Only 27 percent of respondents believe that car manufacturers provide sufficient data security for vehicles. So far, the perception of the topic has been characterised primarily by information on attacks. These include the theft of vehicles with keyless entry systems (37 percent), hacker attacks on vehicle software, and data theft (17 percent each).
For electric cars, 41 percent of respondents fear risks to data protection when charging at public charging stations. In fact, the charging infrastructure for electric cars has vulnerabilities that enable hacker attacks. This is confirmed by our 'Automotive Cyber Security' study conducted by CAM and Cisco this spring.
What protective measures do end customers demand?
More than half of respondents call for stronger data encryption and regular software updates. This is closely followed by a demand for transparent information about security measures. The automotive industry needs to focus on these areas. Premium manufacturers already use strong data encryption almost across the board - but rarely communicate this effectively. Software updates are also common in current models, but they often occur automatically and go unnoticed by drivers.
Where do you think the greatest dangers lurk?
The greatest dangers remain car theft and the hacking of components such as GPS sensors and cameras. With networked vehicles, there's also the possibility of unlocking features that are normally restricted. However, as most software features require corresponding hardware to be installed, the risk here is usually low. More critical are switched off or manipulated functions, such as deactivated speed and distance warning systems. Manipulated facial recognition can also be used to unlock a vehicle. Artificial intelligence does not yet play a significant role in these threats.
How do you see the future in terms of the security of connected cars?
As the attack surface is constantly expanding, we may see successful attacks on connected cars in just a few years - whether by criminal gangs or state-sponsored saboteurs. Electric vehicles are particularly susceptible to cyber attacks, as a study by Cisco Talos from this year shows. It's difficult to predict the extent to which this will jeopardize the health and lives of drivers. However, car theft and deactivated or manipulated functions are certainly to be expected. A completely new front will undoubtedly open up in the future with autonomous vehicles and their artificial intelligence (AI).
is Technical Leader at Cisco Talos.