Connected car vulnerabilities effectively hand keys over to hackers

Half of the cyber vulnerabilities in connected vehicles could grant an attacker full or partial control of a vehicle, according to a new study by IOActive.

However, around three quarters of vulnerabilities are relatively easily fixed or prevented with “little upfront work”, the researchers suggest.

Car makers have been urged to shift their focus from purely being auto manufacturers to seeing themselves as hardware, database and cloud provider companies.

The research, detailed in a whitepaper, ‘Commonalities in Vehicle Vulnerabilities‘, involved conducting a metadata analysis of the multitude of private vehicle security assessments and other publicly available information.

It revealed vulnerabilities in technologies including cellular radio, Bluetooth, Wi-Fi, companion apps, vehicle to vehicle (V2V) radio, on-board diagnostic equipment, infotainment media and Zigbee radio.

Almost three quarters (71%) of the vulnerabilities could be exploited without much difficulty, with engineering problems found to be the root cause of the top eight vulnerability types.

In terms of potential attack vectors, researchers discovered that 39% of them are related to the network, which includes all network traffic such as Ethernet or web, 16% are related to the cellular network, and 17% were related to the local attack vector.

Corey Thuen, senior security consultant at IOActive, commented that while there some idiosyncrasies between sub-categories of automotive and further between automotive and IoT or ICS/SCADA, in general, these embedded computers are all using the same technologies under the hood. As a result, they all suffer from many of the same problems and challenges.

He said: “The connected car is forcing automotive companies to become much more than automotive companies. They must now be database managers, cloud providers, enterprise network operators, etc.

“Taking the car into the future means having to learn all of the lessons that Microsoft, Google, or Apple have learned over the past 15 years. The plus side, however, is that along the way these companies documented the bumps and bruises and now there are really great roadmaps and resources for implementing security.”

He added that simply by incorporating security industry best practices, up to 75% of the vulnerabilities would disappear.

Sign up to our newsletter

Meet our experts