The Top Twenty Unspoken Automotive Cybersecurity Questions And Their Risks
September 7, 2020
As previously mentioned in the Top Ten Unspoken Cybersecurity Risks, there have been two decades of conversation about the increased risk of automotive cybersecurity, a bevy of real-world vulnerabilities unearthed, a new international standard created, companies lining-up for the projected $7.67B in business by 2027 and looming certification that may prevent the sale of some vehicles on various continents. Most of this is progress.
That said, the community needs to mature more on some fundamental questions with a host of underlying risks but, like a teenager, there’s so much growth that maturity becomes difficult. Nearly a trillion connected cars are projected to be on road by 2030, many current connected vehicles have grown to 15-20 threat surfaces with new features and connectivity being added, the number of neophyte Electric Vehicle (EV) manufacturers without decades of functional safety design have jumped from two (Tesla TSLA and Fisker Automotive) to fifty-four start-ups including the likes of Rivian, Lucid and Faraday Future, and the world is distracted by other major developments like autonomous vehicles, COVID-19 and stock splits. Meanwhile, the money being quietly gambled by all manufacturers and suppliers without appropriate third-party oversight or assistance stacks up. “Understanding how and when to conduct the full, end-to-end threat analyses and assimilate the learnings into the product development is not easy,” says Thomas Liedtke, Principal Cybersecurity Consultant at Kugler Maag Cie. “New functionality, change requests and defects not only sneak-in when Chief Information Security Officers aren’t looking, but typically flashy, new features are prioritized by Marketing over dogmatic, fundamental, functional safety work. The new UNECE certification for cybersecurity will improve this imbalance, but it still does not make prioritization easy to balance growth and safety.”
The unspoken risks need to be spoken.
So here are ten unspoken risks atop the original ten with grouping and comments for the automotive industry to start consuming, discussing, and solving:
Politicians and Lawyers Are Of Little Help
In case you were hoping that governments and the associated law would rush to your defense, there are several issues inherent across the globe:
1. If a government becomes aware of an insecurity, what constitutes the risk level that justifies a recall? There are no clear answers here. Some hacks might not be inherently safety-related (e.g. unlocking doors, lowering windows) but could enable theft and/or create distractions. And history has shown even within country with the similar safety-impact and scaleability – the two variables that should govern reactions — politics might create a recall within 48 hours for one company versus a five-year lag for another.
2. How might politics play a role in international cybersecurity? There are many auto companies that are partially-owned by governments actively involved in international hacking (e.g. China, Russia). Per BlackDuck and other watchdog organizations, 75% of bugs listed in vulnerability databases like the National Institute of Standards and Technology (NIST) were previously exposed on the open, deep or “Dark Web” upwards of a year after the hack occurred, sometimes enabled by a government that wants hackers to succeed. Plain and simple, let’s not be naïve: politics have no universal definition of truth and justice.
3. How long until hackers get caught by governments or stop? Momentarily putting aside the growing number of state-sponsored attackers, few governments catch independent hackers because of near-invisibility. Yes, Kevin Mitnick was a high-profile prisoner for five years, but there are few Kevins in the world. Most hackers are depicted as shrouded, hoodie-laden ghosts for a reason – they are typically unidentifiable.
4. How might privacy laws improve things? Security and privacy are two different things. Some places like California have made great strides in privacy, but cybersecurity regulations are still lagging the EU. Some places like the Far East have little privacy and cybersecurity hackers are rampant. About all that can be said about the tandem is poorly implemented privacy can be abused by hackers and help stitch their malicious cloaks of invisibility.
5. What can governments do to enforce cybersecure designs? Unfortunately, both auditing and specifying are very tough. Technology changes daily. Detailed requirements are blueprints for the next hacker. And there are more than 6,000 online criminal marketplaces for ransomware with 75 records stolen every second. Justifying the downstream costs and logistics of thousands of auditors would be nearly impossible for any police force and could easily make the problem worse. The only good answer is upstream: regulating ways of working akin to Europe’s General Safety Regulation mandating the UNECE regulations for all new vehicles types after July 2022 and all new vehicles after July 2024.
Following The Money Isn’t A Happy Ending
6. What hack is worthy of the manufacturer acting sans the government? This answer couldn’t be murkier. Repairing software costs money. Downloads cost money, aren’t 100% reliable — which could create a horrid customer experience – and many still cannot be updated remotely. Even if it can be remotely reflashed, cellular connectivity is not ubiquitous in every country, so how do vehicles off the grid for long periods get updated? With such a gray business case, updates that don’t directly affect safety are difficult decisions.
7. Regardless of how hard the manufacturer tries, how likely is it that a motivated hacker succeeds at some point? Extremely likely. Given time and motivation, a hacker will succeed. In 2017, The University of Maryland quantified the rate of attacks on internet-enabled computers – which now describes the connected vehicle – as once every 39 seconds. Just like the velociraptors of Jurassic Park, they are poking at the fence to find weaknesses. With that frequency, automakers are just trying to out-secure the competition. The old joke applies here as well: “You don’t have to outrun the bear. You just have to outrun your hunting partner.”
8. Therein, when do automakers stop battling? Stopping would likely result in forfeiting the brand. One automotive executive admitted off the record that the brand that suffers the first fleetwide incident will likely go bankrupt, and no one wants to be that brand. So fighting must endure, but only as long as the marginal business case only remains viable.
9. What’s the least automakers can do? As mentioned in the article “Keeping Up With The Joneses’ Cybersecurity”, multiple countries require “state of the art” engineering designs for functional safety. For cybersecurity, the answer to “What security can be legitimately expected” is always changing and not so clear, especially for a functional vehicle built ten years ago. “Due diligence” prior to an exposed, industry hack likely changes afterwards. That said, good engineering practices are the predictable and absolute minimal costs that should be undertaken, and auditing ubiquitously and regularly will become the new norm.
10. How susceptible as an individual am I to the highest-likelihood attack? Won’t they attack a government official? Arguably the most likely attack is a “Denial of Service” (Dos) attack where the vehicles or associated services are made inoperative until some payment is provided. Just like the five most famous DoS attacks, these are frequently pointed at larger providers – which in the automotive realm might be fleet operators, telematics providers or automotive manufacturers — but widespread DoS attacks happen occasionally since individuals quickly justify low re-enablement charges in urgent situations. Realistically, though, Joe Customer pays in the end either way.
11. The automaker has deeper pockets, right? Don’t they have the upperhand regarding business case? Buzz. Let’s start off with cybercrime has been reported as more profitable than the global, illegal drug trade at $600B annually versus $400B. The uneven playing field versus multi-billion dollar corporations has its clearest roots, though, on time and sharing: manufacturers have a fixed launch date and cannot easily share secret sauces with competitors or governments, whereas hackers have no deadlines and can share best practices.
12. What happens if the automotive brand or cybersecurity company fails? The short answer: nobody knows about a defunct automotive brand, but it probably won’t help cybersecurity software get updated long after the brand’s demise. And if the Tier 1 fails, the answer isn’t much different. Yes, automotive manufacturers take over injection molding or stamping tools when suppliers go bankrupt, but taking over cybersecurity software and operations is a stickier wicket since assuredly automotive manufacturers don’t have familiarity, dedicated personnel, etc.
13. Why produce a difficult-to-secure, digital product that might undermine your whole company? In days of old they’d say this one is the $64,000 question, but it’s now more like the $64B question. In all probability, some auto manufacturers will produce a few makes in 2022 for the North American market that cannot be sold in the EU due to inadequate cybersecurity engineering. If they don’t take that risk, they’ll lose those sales to their competitors. If they do, they risk the entire company. It’s no accident that Question #13 is the unluckiest of them all: there’s no good answer here.
Uninformed And Without A Rudder
14. How many hacks have happened to date? The sad truth is nobody really knows the number or risk. Some really good examples of this are the accidental, driveway-video captures of Mercedes, Tesla and Jeep vehicles being individually stolen as quickly as thirty seconds, which suggests the unseen iceberg could be massive.
15. What percent of products have had a full threat analysis that’s been vetted by a third party? Maybe the scariest answer to this question isn’t that it’s unlikely that any given automotive manufacturer knows the answer for its vehicles, let alone a regulator knowing it for the country or region. Yes, some brands require suppliers to have cybersecurity assessments prior to delivery, but that piecemeal requirement has frequently been poorly enforced.
16. How long into your vehicle’s life cycle will it be cyber secure? New hacks are created every day, old computers and tools become defunct every week, and few automotive brands will brag or advertise about ongoing bulletproof solutions since that invites hackers to a quasi-challenge. Therein, cars might be insecure when bought or fully secure decades later without means for the public to predict.
17. How does the car get fixed quickly? As previously mentioned, no process for reflashing is 100% reliable. Additionally, few manufacturers have reliable, constantly-updating, 24x7x365 monitoring systems for entire fleets with every buildable combination for managing operations, risk and updates. So how quickly does a given car get fixed? Good question.
18. Can you protect yourself? There’s no clear rating system akin to the 5-Star Crash Rating since, once again, that would paint a target on a brand’s metaphorical back, and an “upgrade” will likely never be offered since customers expect cybersecurity to be automatically upgrade at no additional cost.
19. What if I simply avoid autonomous vehicles? As shown by Miller & Valasek, hackers can take control of non-autonomous cars so the fascination or misunderstanding that autonomy and susceptibility are perfectly linked is misguided. Yes, the increases in autonomy will equate to more attack surfaces and fleets being operated (thereby increasing the scalability of a DoS attacks), but plain and simple: the threat is already here.
20. What if you aren’t the weakest link? If a neighbor’s car is stolen from the driveway, everyone’s insurance will increase. If a neighbor’s car is hacked on the highway, all surrounding cars are caught in his nightmare. Being the strongest link only helps a given individual so much.
Speaking about issues is the shortest road towards resolution. Understanding the risks, working with experts to resolve them and recognizing that the Justice League can (and does) beat the Legion of Doom are positive ways to work through a difficult situation.
And, of course, nothing beats putting in the hard work.