The Connected Car Is The Next Attack Vector

Automotive hacks represent a looming threat for corporate fleets and consumer privacy.

These days, cars are rolling computers. Modern vehicles contain dozens of computer chips that control everything from cabin temperature to braking systems. The software running on these chips features more code—some 100 million lines—than the U.S. Air Force’s F-35 Joint Strike Fighter. But with so many hardware and software components involved in the complex automotive supply chain, connected vehicles can be difficult to secure.

Connected and autonomous cars generate terabytes of data every day, revealing driver locations, driving habits, billing details, and car performance. When people sync their phones or connect to Bluetooth in a car,—whether their own car or a rental,—frequently their call logs, contacts, text messages, music preferences, and even tweets and social media posts are frequently sucked into a car’s data storage. That data can help insurance companies and consumers discern exactly why accidents happen—in dramatic live-video detail.

The dangers to companies that use connected cars are evident as well: Fleets of commercial vehicles could be held hostage, leading to millions in ransom payments and weeks of downtime. An adversary could commandeer a fleet of autonomous vehicles and turn them into a swarm of weapons on wheels.

The treasure trove of highly sensitive data in connected cars requires a whole new level of protection, particularly against ransomware, cyberwar, and other cyberattacks that capitalize on software and hardware vulnerabilities. Corporations need to bolster their autonomous vehicles with the same kinds of risk management systems they use to protect their other IT networks, such as firewalls and intrusion detection systems (IDS), patch management, and threat hunting.

My job as the chief product officer at Tanium centers around helping business leaders defend against emerging attacks on the next frontier of security vulnerabilities. Connected cars honestly keep me up at night. But I am confident that companies and governments will continue to make strides in hardening vehicle defenses.

What companies are up against

Hacking cars and trucks has become downright easy. The world got a wake-up call in 2014 when security researchers were able to exploit a flaw in a car’s cellular connection to remotely kill the engine, cut the brakes, and hijack the steering of an SUV from 10 miles away. And late in 2021, a 19-year-old broke into more than two dozen electric vehicles across 13 countries from his home in Germany. He was able to control locks, lights, and temperature, as well as learn a car’s location and the owner’s email address—both potential commodities hackers could buy and sell.

At the DefCon hacking conference, Tanium’s own Connor Ivens demonstrated how easy it continues to be to break into a car. Ivens and his white-hat teammates were able to steal a car’s sensitive vehicle identification number—legally, of course. (The team failed to deploy the airbags and turn on and off a simulated “cloud car” by the auto-hacking competition’s deadline, although they’re hopeful they will succeed at the next one.)

The SUV hacked in 2014 and more recent breaches have been a serious eye opener for manufacturers and automotive suppliers to take cybersecurity more seriously. But as a host of experts discussed in a recent article, we have a lot to learn about the growing risk of cybercrime following auto hacks.

Where hackers go

Hackers are looking to exploit vulnerabilities wherever money can be gained, whether that’s ransomware attacks on fleets or stealing sensitive data such as customer billing details from EV charging stations. “The general rule is simple: They’ll focus on achieving the highest payday,” Guy Molho, vice president of products at Upstream, told Tanium. Upstream’s security technology is installed in more than 10 million vehicles worldwide.

Ransomware attacks on fleets are the No. 1 concern among researchers. Multiple attacks have targeted the nearly $800 billion U.S. trucking industry over the past few years. Internet-connected and autonomous vehicles are particularly susceptible to exploits because of the daunting complexity of their software systems.

Key fobs, telematics, entertainment systems, and third-party apps are the systems most vulnerable to attack. Also at risk is the entire environment in which vehicles operate, which includes the servers, satellites, and cell towers they communicate with, as well as infrastructure like smart traffic lights, embedded roadway sensors, and charging stations.

Time to defend

Auto manufacturers and suppliers have a lot of work to do to bolster their cybersecurity defenses. Meanwhile, regulators are compelling them to take action.

New regulations from the United Nations Economic Commission for Europe (UNECE) establish cybersecurity performance and audit requirements for all new vehicle types sold in 2022 and all new vehicle registrations starting in 2024. U.S. automakers will need to abide by the rules if they want to sell cars in UNECE’s 56 member states. It’s possible the auto industry may one day adopt a cybersecurity rating system similar to the National Highway Traffic Safety Administration’s safety ratings, allowing consumers to shop for cars based on how well they meet security standards.

Automotive companies will continue to provide updates to their security and other internal software, but it is uncertain how effective those measures will be. Companies that own or operate connected fleets will need to employ the same or better cyber hygiene and patch management as they do with their other digital assets. They will also need to closely watch for emerging threats.

Billions have been invested in connected-car technologies, and there’s no going back to pre-internet days. The entire ecosystem of automotive companies, suppliers, and regulatory agencies now needs to work together to collectively ensure that security takes a front seat in the cars and trucks of the future.