The Apache Log4j Java-based logging library is used around the world to help applications, websites, and consumer and enterprise services run smoothly by logging messages to a log file or a database.

It had run largely in the background, out of sight and out of mind for most people, until 9 December 2021 when the Log4Shell zero-day vulnerability was released on GitHub. The exploit could allow an unauthenticated remote actor to take control of an affected system.

Some of those systems could include vehicles, which are becoming increasingly connected to original equipment manufacturer (OEM) back-end servers to share collected data and while also becoming more reliant on software to operate, especially electric vehicles. Researchers investigated how Log4j was used in the automotive sector and found that electric vehicle car chargers and vehicle-to-grid (V2G) systems in Europe were at risk.

“The V2G system allows stored energy in car batteries to be redistributed over the grid to help balance demand concerning the production level,” according to Upstream Security’s Global Automotive Cybersecurity Report 2022. “In addition, they found that a car’s [in-vehicle-infotainment] system, which uses a complex operating system, could also be compromised. The researchers showed that by exploiting Log4j vulnerabilities, they could execute attacks on the vehicles and their connected infrastructure.”

Silicon Valley tech companies and vehicle manufacturing powerhouses are moving ahead with plans to develop autonomous vehicles. But the world is a long way from the self-driving car revolution.

Research from the Victoria Transport Policy Institute released in January 2022 found that Level 5 autonomous vehicles—those able to operate without drivers—might be commercially available and street legal in some areas by the later part of this decade, but only for a high cost with limited performance.

“Some benefits, such as independent mobility for affluent non-drivers, may begin in the 2030s, but most impacts, including reduced traffic and parking congestion, independent mobility for low-income people (and therefore reduced need for public transit), increased safety, energy conservation, and pollution reductions, will only be significant when autonomous vehicles become common and affordable, probably in the 2040s to 2060s…” according to Autonomous Vehicle Implementation Predictions: Implications for Transport Planning.

Connected vehicles will comprise nearly 86 percent of the global automotive market by 2025.

Instead, the automotive industry in the midst of a connected vehicle transformation that has major ramifications for security. In its 2021 Automotive Cybersecurity Report, Upstream Security projected that connected vehicles will comprise nearly 86 percent of the global automotive market by 2025. In its 2022 report, the company doubled down, analyzing hundreds of publicly reported incidents of connected vehicle compromise—many carried out without physical access to a vehicle—to build a more comprehensive picture of this emerging and dynamic threat.

Attack Methods

Originally, motorized vehicles didn’t use software to function or to alert owners of an issue. If you wanted to know why your car wasn’t shifting into second gear, you or your mechanic were going to have to get your hands dirty.

Today, that’s not the case. Most modern vehicles come with sensors to collect data and transmit it to their OEM or share it with a mechanic when the vehicle is plugged into a diagnostic system at the service center. This information can help technicians pinpoint an issue and identify potential solutions to fix it. Additionally, sensors collect driving data to make operating vehicles safer—through lane assist, brake assistance, location data, and more.

While this has made vehicles and the act of operating them physically safer, these sensors, connection points, and in-vehicle-entertainment systems all rely on software to function.

“Unfortunately, the other side of connectivity is that this widens the attack surface for hackers to find new attack vectors and exploit every flaw, leaving vehicles, networks, and back-end servers vulnerable,” according to the Upstream 2022 report.

Just like changing the oil and rotating the tires, software also requires maintenance in the form of patches and updates so vehicles can continue to operate without creating vulnerabilities for hackers to take advantage of—which they are doing on almost a daily basis, says Tomer Porat, cyber threat researcher and lead analyst at Upstream.

During the past year, Porat and his team analyzed more than 900 vehicle cyber incidents publicly reported between 2010 and 2021 and monitored Web forums on the Deep and Dark Web to put together Upstream’s 2022 report. One of the striking aspects of their research was the diversity of incidents, Porat says.

In one incident, for example, hackers managed to manipulate a vehicle’s Electronic Control Units (ECUs), embedded systems that control electrical subsystems in vehicles, to manipulate or shut them down—including ECUs that control the power train and steering functions.

“That was amazing,” Porat says, adding that it showed how the researchers could compromise nearly anything in the vehicle by gaining access to one ECU and then moving laterally to shut down others.

And it’s not just personal vehicles. Another incident analyzed by the Upstream team involved hackers exposing vulnerabilities in operating systems used by OEMs for the agriculture industry, which allowed malicious actors to manipulate machinery and take it out of service.

These methods also showcased how attackers are compromising vehicles without having physical access to them. In 2021, for instance, 85 percent of the incidents Upstream analyzed were carried out remotely.

“Every year we see the number of remote access incidents increase; 85 percent only required remote access, which is alarming and big,” Porat adds, especially since more vehicles and infrastructure are being connected. “Once there is a good vulnerability to exploit, hackers will do it. It could be state sponsored actors or bad actors that want to hurt someone—or do something without pure intent.”

Regulations

To address cybersecurity at the OEM level, a set of regulations and a standard went into effect that will require action in 2022.

Up first are two United Nations Economic Commission for Europe (UNECE) regulations—WP.29 R155 and R156—which require that OEMs create Cybersecurity Management Systems that cover vehicles lifecycles from development through post-production. OEM suppliers are also required to meet the security measures in the regulation.

Vehicle hacking is not theoretical anymore; it’s happening, and we need to find solutions for it.

R155 introduces “audit related provisions that allow the assessment of the robustness of the cyber security measures implemented by manufacturers and the way manufacturers and their suppliers are able to mitigate cybersecurity related risks, as well as obligation to perform risk assessments and to keep them current,” according to a UNECE press release. “It also imposes a number of requirements, including the obligation to monitor and report on incidents.”

Additionally, R156 creates security requirements for software updates for vehicles—including over-the-air procedures. Many newer vehicles have over-the-air (OTA) update technology, which allows OEMs to push software updates to vehicles wirelessly instead of patching manually in a service center. Using OTA is convenient, but it also poses a risk as researchers have found vehicles to be vulnerable to attacks by compromising OTA systems.

“In March 2019, researchers showed that a North American OEM’s vehicles were vulnerable to GPS spoofing attacks. During a test drive, a staged attack caused the car to slow down and unexpectedly veer off the main road,” according to Upstream’s 2022 report. “In May 2018, hackers found a vulnerability in a misconfigured back-end server run by a North American IoT software applications and telematics products and services provider. This gave hackers direct access to critical databases that track the vehicle location, user information, and even what’s needed to turn off an engine remotely.”

Not all nations are choosing to implement the UN regulation; however, Porat explains that those that are not in compliance—like the United States and Japan—have adopted similar measures that are being overseen by their own internal agencies, such as the National Highway Traffic Safety Administration.

“Regulations are being implemented, and 2022 is going to be a very vital year where OEMs and suppliers are going to have to comply,” Porat adds. “Vehicle hacking is not theoretical anymore; it’s happening, and we need to find solutions for it.”

One of those solutions could be manufacturers adopting the recently published international standard, Road Vehicles—Cybersecurity Engineering, ISO/SAE 21434, which creates a methodology for OEMs and suppliers to calculate risks and prioritize vulnerability urgency.

The standard “will help manufacturers keep abreast of changing technologies and cyberattack methods, and defines the vocabulary, objectives, requirements, and guidelines related to cybersecurity engineering for a common understanding through the supply chain,” a news post by ISO explained.

Additionally, the standard provides a “structured cybersecurity framework, establishing cybersecurity as an integral element of engineering throughout the lifecycle of a vehicle from the conceptual phase through decommissioning,” according to the Upstream 2022 report.

For instance, OEMs will be required to know their suppliers’ cyber history and that suppliers are conducting risk vulnerability and management for their parts. The standard also delineates that cybersecurity responsibilities are shared, including by using Cybersecurity Interface Agreement for Development methods and Responsible-Approving-Supporting-Informed-Consulting (RASIC) frameworks.

Taking Action

Manufacturers are taking note, partly due to increased regulation and also the realization that cyber incidents will have major ramifications for their and their customers’ bottom lines. Analysis from Upstream found that the automotive industry stands to lose more than $500 billion by 2024 as the result of cyberattacks. 

Upstream suggested in its 2022 report that manufacturers take a security operations center approach to vehicles (VSOC) to create “a more secure layering between OEMs, Tier-1s, Telematics Service Providers, and other stakeholders in the ecosystem, minimizing threats, and preventing attacks. This would include assessing in-vehicle security, IT network security, and automotive cloud security.”

Manufacturers are also shairng more details about the steps they are taking to secure vehicles. At the RSA Conference in 2020, General Motors CEO Mary Barra spoke about the cybersecurity program the company was building.

“We view cybersecurity as an area we invest in not as a competitive advantage but as a systemic concern for our industry,” she said in her keynote remarks.

Kevin Tierney, the lead for GM’s cybersecurity team and then-chair of the Auto-ISAC, shared that GM had hired nearly 500 people and implemented a program with HackerOne to engage closer with the research community. That partnership ultimately evolved into a bug bounty program to strengthen their cybersecurity efforts, Tierney said.

Once there is a good vulnerability to exploit, hackers will do it.

In its 2020 sustainability report, published in 2021, GM further shared how its implementing risk and cybersecurity frameworks into its operations to encompass product, manufacturing, and corporate cybersecurity functions.

“Vehicles that incorporate a next-generation battery-electric technology, as well as active safety, infotainment, and connectivity features, will require increased bandwidth and computing power,” GM wrote. “To meet these needs, GM has introduced an all-new electrical architecture consisting of software and hardware that will enable all advanced in-vehicle technologies to run seamlessly and in conjunction with each other. The platform went into production in 2019 and should be rolled out to most vehicles within GM’s global lineup by 2023.”

In Europe, Volkswagen Group (Volkswagen, Volkswagen Commercial Vehicles, ŠKODA, SEAT, CUPRA, Audi, Lamborghini, Bentley, Porsche, and Ducati) is implementing standards for accident prevention and security—including creating a framework for an Automotive Cyber Security Management System in line with UNECE regulations.

“Volkswagen has been implementing cybersecurity measures in the Group for some time now,” the company said in its 2020 annual report. “For example, we have an independent cybersecurity network in place across all regions and Group brands and monitor potential cyber risks. This enables us to act fast when potential threats arise.”

Beyond OEMs, others are also getting involved in addressing security concerns for these “servers on wheels,” as BlackBerry Chief Technology Officer Charles Eagan likes to call them. BlackBerry unveiled its intelligent vehicle data platform, BlackBerry IVY, co-developed with Amazon Web Services (AWS), at CES 2022.

It’s part of the company’s portfolio that is looking at how to address the increasing number of software and security threats to vehicles. BlackBerry IVY compiles data from a connected vehicle and shares it with OEMs, all while learning from that data to create a more comfortable driving experience for passengers.

“How do we apply some of the good security practices like authentication and zero trust to the solution?” Eagan asks. “Because the more software in the vehicle, the more potential for things like [Log4Shell] to catch people by surprise.”

OEMs will have complete control over the data that is collected by the vehicle, with BlackBerry Ivy working as the conduit to ensure it is shared in a safe and secure way, Eagan says.

“We’re learning from the security industry,” Eagan says. “Connected vehicles and the amount of software that’s running on the vehicle are going to continue on this steep curve, so we need to find ways to create defenses.”

And individual security practitioners, especially those who are responsible for transporting individuals or for managing a fleet of vehicles for patrols, will also need to keep the cybersecurity of their cars in mind.

“Vehicles are of course used to bring important people from Point A to Point B, and in the future, we can see how people can be targeted—not only in physical manners—and their transportation could be affected,” Porat says.

“In terms of security, people who are in charge of transporting people from one place or another will have to take into consideration that they will have to have security and defense for their automobiles or transport vehicles because they could be the next surface for an attack,” he adds. “They will have to make arrangements and be prepared, conceptually, to the possibility that the transportation may be harmed, interrupted, or even worse—from afar.”

Megan Gates is editor-in-chief of Security Technology. Connect with her at [email protected]. Follow her on Twitter: @mgngates.