Cybercriminals Take the Wheel
18 April 2023
As our vehicles become more intelligent and digitized, they also attract hackers' attention. Exploring the latest automotive hacking trends also brings to the forefront the tools blocking hackers from driving you crazy.
With the rise of autonomous and connected vehicles, the potential for cyber attacks is only set to grow with severe consequences for drivers, passengers, and vehicle manufacturers. The latter are in the race to secure our vehicles, and numerous start-ups and private companies are working hard to ensure we stay in the driver's seat, steering clear of any hacker-induced madness.
Automotive hacking: new stress for the drivers
Automotive hacking is used to compromise the security of a vehicle's electronic components to access the car's system, steal data, or take control of critical functions, e.g., steering, brakes, and engine.
A car can be hacked through the car's keyless system, infotainment system, engine control unit (ECU), or an internal unencrypted communications network that interconnects components inside a vehicle.
Numerous cases of car hacking (from remotely disabling brakes to stealing vehicles and sending them off a cliff) show the vital importance of addressing cybersecurity vulnerabilities.
Behind the wheel of danger: skyrocketing growth and new countermeasures
With more vehicles equipped with advanced systems, the attack surface is expanding rapidly. The automotive cybersecurity market is unsurprisingly expected to grow from $2.2bn to $7.4bn by 2027, at a 5Y CAGR of 27.0%.
The rise of autonomous vehicles, a growing collaboration between automakers and cybersecurity experts, and the adoption of new technologies, e.g., blockchain, are among the major drivers for the sector.
Favorable regulation and the push from governments worldwide to ensure the security of connected cars and the data stored in them is a strong tailwind for the sector.
Capturing the auto-cybersecurity growth
Companies focused on developing and implementing automotive cybersecurity solutions remain mostly private.
Car manufacturers are taking automotive cybersecurity seriously and are investing heavily in developing secure systems and protocols.
Investors can get exposure to automotive cybersecurity through a publicly listed pure-play like Aptiv, or through more diversified car manufacturers. On the private side, we are closely following Argus, Centri, GuardKnox, and Harman which directly provide cybersecurity solutions for vehicles and have already partnered up with some car manufacturers.
Automotive hacking: new stress for the drivers
A new disease driving fear
Automotive hacking refers to using technology to compromise the security of a vehicle's systems and functions. This can include everything from accessing the car's entertainment system to taking control of critical functions such as the steering, brakes, and engine. Hackers have numerous techniques at their disposal, from remote attacks through the car's cellular or WiFi connection to physical attacks through the car's diagnostic port or onboard computer. Radio, Bluetooth, WiFi, GPS systems, connectivity ports, sensors, and keyless systems can allow hackers to remotely take over or shut down a vehicle, spy on occupants, track a car, or altogether disable safety systems.
Hackers can essentially target any part of a car's system that is digitized, from the infotainment system to the engine control unit (ECU), to gain access to sensitive data or take control of the car. With modern vehicles becoming increasingly connected, the risk of automotive hacking has become a pressing concern. Indeed, vehicles are becoming more digital complex and connected. Already today, most cars, in addition to central processing units, connectors, and operating systems, come with up to 150 ECUs and ~100mn lines of code. McKinsey estimates that by 2030 cars will come with 300mn lines of code. For comparison, commercial aircraft contains 15mn lines of code. Therefore, it has become essential for car manufacturers to prioritize cybersecurity in their designs and for car owners to take steps to protect themselves from potential attacks.
Your key is not your own
As connected cars are increasingly data-driven technologies, they represent a new frontier for cybersecurity. There are numerous ways in which a car can be hacked, with most depicted below.
One method is through the car's keyless entry system. Hackers can use signal amplifiers or jammers to intercept the radio frequency signals sent between the car and the key fob, allowing them to unlock the car and start the engine. With a technique known as RollBack, hackers can gain entry to a car by simply capturing the signal when the owner locks and unlocks the doors with their key fob and later replaying the signal to access the vehicle. 91% of cars sold use keyless ignition systems that depend on key fob technology, and in recent years ~90% of vehicles recovered by a stolen-vehicle recovery system in the UK were hijacked using key fob attacks.
An entire deck of techniques to hack your car
Another method is through the car's infotainment system, which is often connected to the internet and other devices through Bluetooth or WiFi. Hackers can exploit vulnerabilities in the system's software to gain access to other parts of the car's system or to steal sensitive data stored on the device. For example, in 2015, security researchers demonstrated how they could take control of a Jeep Cherokee's vital functions through its infotainment system. This led to a recall of 1.4mn Jeep vehicles to address the vulnerabilities.
Perhaps the most concerning type of automotive hacking, which resembles a pestering DDoS attack on a server, is when hackers gain control over the car's vital functions, such as the brakes, steering, or acceleration. This can be done by flooding the ECU with data (with a device that costs only $27 to build), which controls the car's engine and other crucial systems. Hackers can also access the ECU through the car's onboard diagnostics (OBD) port, which is often left unprotected and can be easily accessed by anyone with a compatible device.
There are also technologies involved in automotive hacking, such as CAN (Controller Area Network) buses. A vehicle bus is a specialized internal communications network that interconnects components inside a vehicle. These buses are often unencrypted and do not have robust authentication mechanisms, making them vulnerable to attacks.
Behind the wheel of danger: skyrocketing growth and new countermeasures
With more vehicles connected to the internet and equipped with advanced sensors and computing systems, the potential attack surface is expanding rapidly. According to Upstream, the frequency of automotive cyberattacks rose by 225% from 2018 to 2021, with remote attacks constituting almost 85%.
However, the industry is still in its early stages and has significant growth potential, i.e., the global automotive cybersecurity market is expected to grow from $2.2bn in 2022 to $7.4bn by 2027 at a 5Y CAGR of 27.0%. This growth is driven by global vehicle digitization, increasing demand for connected cars, government regulations mandating cybersecurity standards, and growing awareness among automotive manufacturers regarding vehicle security. To put that into perspective, there are currently ~1.5bn vehicles in the world (the number is set to double in 10 years, according to the World Economic Forum), and by 2025, 86% of cars are expected to be connected (vs. 41% today), i.e., have at least one way to be connected to remotely or can communicate bidirectionally with other systems outside of the car.
Additionally, the demand for electric vehicles (EVs) will drive additional growth. The EV market is expected to grow at a CAGR of 29.7% between 2022 and 2027, and the increasing adoption of EVs will require robust cybersecurity measures to protect against potential cyber threats. This is because EVs depend on electric vehicle supply equipment (EVSE), known as charging stations. EVSE devices support the electrification of the transportation industry and are the backbone of transportation infrastructure. The potential attack surface is quickly becoming immeasurable as the number of EVSEs is rapidly increasing. European Commission, for example, has set a target of 1mn charging points by 2025, and in the U.S., their number is growing by 10% quarterly. Cybersecurity researchers have identified vulnerabilities in EVSE devices, with the potential impact of attacks on these systems resulting in long-term national transport grid disruption. Therefore, it is evident how increased adoption of EVs will further drive the need for proper automotive cybersecurity.
Powerful drivers accelerating the sector
One trend driving the automotive cybersecurity industry is the growing collaboration between automakers, technology suppliers, and cybersecurity experts. Synergy is essential for developing effective solutions that can protect vehicles from cyberattacks. Major automakers such as Ford, General Motors, and BMW have already partnered with cybersecurity companies to help address this issue.
Another trend is adopting new technologies that can help protect vehicles from cyberattacks. One such technology is blockchain, which can secure data and prevent unauthorized access. Several automakers have already started exploring the use of blockchain in their vehicles, including BMW and Ford.
Finally, the rise of autonomous vehicles also drives the need for increased cybersecurity measures. Any cyberattack could have serious consequences, with autonomous cars relying heavily on sensors and communication systems to navigate. As a result, automakers are investing heavily in cybersecurity solutions that can protect these vehicles.
Favorable regulation steps on the gas
The regulatory environment is also playing a significant role in the growth of the automotive cybersecurity market. Today, various regulatory standards address vehicles' general and data security to protect consumers. These include data protection laws, standards for software development, communication protocols, and over-the-air updates. For example, the European Union's General Data Protection Regulation (GDPR) includes provisions that require automakers to take appropriate measures to ensure the security of personal data in connected cars.
As regulators are switching their focus on ensuring the secure design and development of autonomous vehicles, further emphasis on consumer privacy and data protection of personal information collected by cars, and the cybersecurity of electric vehicle charging infrastructure, the sector should see an inflow of funds, talent, and innovation further boosting the industry.
Capturing the auto-cybersecurity growth
As we have hopefully shown, no one is safe unless he is driving a vintage car, and it is a no-brainer that cybersecurity portfolios have to include automotive cybersecurity companies. Already today, investors can get exposure to the automotive cybersecurity sector in a number of ways: through companies that directly provide cybersecurity solutions for vehicles, companies that manufacture vehicles with robust cybersecurity features, or investing in the development of new technologies that can help prevent automotive hacking.
The pure-players take the lead
Companies that are focused on developing and implementing automotive cybersecurity solutions remain mostly private. Working with major automakers, they are best positioned to benefit from the growth in this market. One of the listed players, Aptiv, develops platforms for self-driving cars (in collaboration with Lyft) with cybersecurity solutions integrated across all car systems. Another player, Centri, offers cybersecurity solutions to IoT devices in the automotive industry, i.e., the software installed on chips to protect automotive sensors and data that learn addresses and behavioral patterns from the user. Argus provides smart vehicles with cybersecurity tools that safeguard everything from a vehicle's infotainment center to the networks. GuardKnox creates coding architecture for autonomous cars that operates everything in the car. Harman partnered with IBM to develop the Harman SHIELD, which protects key entry points of a car’s network from hackers. In addition, it continuously performs a threat analysis to determine which points are most vulnerable at any given moment.
Mature companies understand the importance of cyber safety
Car companies are taking automotive cybersecurity seriously and are investing heavily in developing secure systems and protocols. Companies like General Motors, Ford, and Toyota Industries are all making significant investments in this space. General Motors, for example, has a dedicated team of cybersecurity experts working on securing its vehicles. This is not surprising, especially after web hackers have found a myriad of vulnerabilities in the existing car models. For example, some of Kia's and Honda's cars can be hacked only using a Vehicle Identification Number (VIN). Daimler's models are prone to giving hackers access to hundreds of mission-critical internal applications via an improperly configured authentication. Ford, through disclosure of its access tokens, allowed hackers to track and execute commands on vehicles. Continental, the automotive parts manufacturing company, now integrates Argus’ cybersecurity solutions into all of its connected vehicle electronics. Porsche enlisted GuardKnox to improve cybersecurity in its new line of vehicles.
The rise of connected and autonomous vehicles. As more vehicles become connected to the internet and are equipped with advanced technologies such as AI, the potential attack surface for hackers increases.
The increasing complexity of vehicle software. Modern vehicles comprise numerous software systems that interact with one another, creating new opportunities for hackers to exploit vulnerabilities.
The emergence of new attack vectors. As vehicles become more sophisticated, hackers find new ways to target them, such as through wireless networks or over-the-air software updates.
Slow regulatory response. Regulations around automotive cybersecurity are still evolving, and slow action from regulators could lead to confusion and a lack of clear standards for the industry to follow.
Cost considerations. Automotive cybersecurity solutions can be expensive to develop and implement, and automakers may be hesitant to invest heavily in these measures if they don't see a clear return on investment.
Fragmented industry. The automotive industry is highly fragmented, with many different players involved in the design, manufacturing, and sale of vehicles. This fragmentation could make implementing consistent cybersecurity measures across the industry difficult.
Companies mentioned in this article
Aptiv (APTV); Argus (Not listed); BMW (BMW); Centri (Not listed); Continental (Not listed); Daimler (MBG); Ford (F); General Motors (GM); GuardKnox (Not listed); Harman (Not listed); Honda (7267); IBM (IBM); Kia (Not listed); Lyft (LYFT); Porsche (Not listed); Toyota Industries (6201)
- A deep dive into automotive hacking
- Automotive Cyber Security Players
- Car Hacking: Cyber Security in Automotive Industry
- Investing in Modern Cybersecurity: Cloud Security
- New Opportunities and Vehicle Architectures: How Upcoming Cybersecurity Regulations will Transform the Connected Car Ecosystem?
- Review of Electric Vehicle Charger Cybersecurity Vulnerabilities, Potential Impacts, and Defenses
- The demise of the car key
- The number of cars worldwide is set to double
- Web Hackers vs. The Auto Industry: Critical Vulnerabilities
This report has been produced by the organizational unit responsible for investment research (Research unit) of atonra Partners and sent to you by the company sales representatives.
As an internationally active company, atonra Partners SA may be subject to a number of provisions in drawing up and distributing its investment research documents. These regulations include the Directives on the Independence of Financial Research issued by the Swiss Bankers Association. Although atonra Partners SA believes that the information provided in this document is based on reliable sources, it cannot assume responsibility for the quality, correctness, timeliness or completeness of the information contained in this report.
The information contained in these publications is exclusively intended for a client base consisting of professionals or qualified investors. It is sent to you by way of information and cannot be divulged to a third party without the prior consent of atonra Partners. While all reasonable effort has been made to ensure that the information contained is not untrue or misleading at the time of publication, no representation is made as to its accuracy or completeness and it should not be relied upon as such.
Past performance is not indicative or a guarantee of future results. Investment losses may occur, and investors could lose some or all of their investment. Any indices cited herein are provided only as examples of general market performance and no index is directly comparable to the past or future performance of the Certificate.
It should not be assumed that the Certificate will invest in any specific securities that comprise any index, nor should it be understood to mean that there is a correlation between the Certificate’s returns and any index returns.
Any material provided to you is intended only for discussion purposes and is not intended as an offer or solicitation with respect to the purchase or sale of any security and should not be relied upon by you in evaluating the merits of investing inany securities.