2023-01-17
By Callisto Technology ( https://www.callisto-auto.com )
With the development of "electrification, intelligence, and networking" in automobiles, automobiles have become "networked computers on wheels." Networking and intelligence provide automobiles with unprecedented capabilities, but in the meantime, they also bring more security threats. Since 2010, more than 1,200 security incidents related to smart cars that have been publicly reported, of which 207 occurred in 2020. In 2022, there were nearly 300 incidents, a 49% increase. In 2020, there were 30 CVEs (Common vulnerabilities & Exposures) directly related to automobiles announced, and by December 2022, the number of automobile related CVEs had soared to 284, an increase of 8 times in 2 years.
Since the beginning of 2022, the Callisto Automotive Threat Intelligence Center has analyzed automotive related cybersecurity information from media, academic research institutions, offensive and defensive competitions, social networking and deep, dark web. We also studied more than 300 automotive cybersecurity incidents and related 284 CVEs. The results show that smart cars are currently facing three major risks:
The digital key has become a new "entry point" for hackers to "unlock" the vehicle. Relay attack, replay attack and impersonation attack are the main techniques.
Intelligent services have become a new "control point" for hackers to "manipulate" vehicles, mainly in the form of leakage of identity credentials, abuse of service API, and illegal vehicle upgrades.
ECUs have become the "key" attack surface for hackers to explore firmware vulnerabilities, system vulnerabilities and third-party components.
Download full version of the report: https://www.callisto-auto.com/automotive-cybersecurity-threat-report-2022.pdf
The Threats to Critical Components
Component manufacturers often provide critical components to multiple OEMs, so a component vulnerability may exist on multiple models of different car brands.
The Callisto Automotive Threat Intelligence Center conducted research on more than 700,000 vulnerabilities from the CVE, NVD, CNVD, CNNVD and other vulnerability databases. 284 vulnerabilities related to automobiles are studied in depth. The studies show that these vulnerabilities are mainly related to critical components of connected vehicles, cloud services, and electrical charging facilities. The critical components include T-Box, IVI, CGW, ADAS, GPS, airbags, and OBD. Among these vulnerabilities, there are 148 related to cloud services. These vulnerabilities mainly involve the leakage of authentication credentials, the bypassing of authentication mechanisms, and the lack of API security. Hackers can use these vulnerabilities to remotely control a large number of cars, and sometimes they even gain control of cars from different car makers. There are 136 vulnerabilities related to vehicle ECUs. These vulnerabilities allow attackers to use replay attacks, relay attacks, etc. to gain control of car doors, engines, and other components remotely.
The Growing Threats of Intelligent Services
Under the new design methods such as "service-oriented architecture" and "software-defined automobile", the intelligent functions of automobiles are constantly being enriched. These design methods make the functional modules of automobiles more flexible and convenient. At the same time, it also facilitates the upgrade and update of vehicle functions, such as digital key, remote car control, advanced assisted driving, adaptive cruise, remote diagnosis and OTA upgrade, etc. These intelligent functions and services have been flexibly installed and configured on many brand models. However, this new design method also brings some security threats. Since the various components of the vehicle depend on each other, once a certain component fails, it may paralyze the entire vehicle and even endanger the personal safety of the drivers and passengers.
Trends and Challenges
Risks often come with the exposure of the attack surface and the drive of interests. In the foreseeable future, unclear security threats will gradually surface.
Fleets begin to face unprecedented cybersecurity challenges
Except for sci-fi movies, attacks on convoys are rarely seen in reality. However, because of the huge benefits of attacks, it will become obvious and targeted in the future. Especially large convoys are already using "digital fleet" technology to increase business revenue and reduce costs. Hackers may launch attacks and extortion against multiple vehicles by attacking OEMs production lines, fleet platforms, or certain vehicle.
Vendors need to take on an increasingly important security role
Suppliers are using proprietary and open-source technologies to jointly provide services for car manufactures. The richer the functions, the more code, and the more risks that come with it. There is no general method to protect car manufactures from supply chain threats. However, the cybersecurity measures of supply chain will greatly reduce the cybersecurity pressure of OEMs. Suppliers need to assume an increasingly important role in security.
Widespread use of intelligent driving poses new threats
Although there is still no clear time information for the commercialization of intelligent driving that covers L4, L2 has been accepted and popularized by drivers. Attacks against the intelligent driving domain will become a new research hotspot. The in-vehicle computing platform with strong computing power, remote OTA, and close integration with the vehicle control domain is bound to attract a large number of network security researchers to join in the security research on intelligent driving. Vehicle-road collaboration has introduced a new vehicle-cloud communication method, which brings new security risks.
About Callisto Technology
Callisto (Beijing) Technology Co., Ltd was founded by the world's first group of technical experts focusing on automotive cybersecurity. With years of experience in the field of automotive cybersecurity, we start from the perspective of attack and defense, and integrate advanced artificial intelligence and Knowledge Graph engine. Through the algorithm analysis of the massive multi-source heterogeneous messages, instructions and API services of the intelligent connected vehicles, so as to resist the new attacks against automotive manufactures and supply chains. We provide threat intelligence and defense capabilities for connected vehicles, and protect the security of core automotive assets and intelligent services.
Download full version of the report: https://www.callisto-auto.com/automotive-cybersecurity-threat-report-2022.pdf
Company:Callisto (Beijing) Technology Co., Ltd
Contact Person: Marketing Department
Email: contact@callisto-auto.com
Website: https://www.callisto-auto.com
Telephone: +86-18511588102
City:Beijing China, California USA
Address:Callisto Technology, Haidian District, Beijing