Cybercriminals Take the Wheel

Automotive hacking: new stress for the drivers

A new disease driving fear

Automotive hacking refers to using technology to compromise the security of a vehicle's systems and functions. This can include everything from accessing the car's entertainment system to taking control of critical functions such as the steering, brakes, and engine. Hackers have numerous techniques at their disposal, from remote attacks through the car's cellular or WiFi connection to physical attacks through the car's diagnostic port or onboard computer. Radio, Bluetooth, WiFi, GPS systems, connectivity ports, sensors, and keyless systems can allow hackers to remotely take over or shut down a vehicle, spy on occupants, track a car, or altogether disable safety systems.

Hackers can essentially target any part of a car's system that is digitized, from the infotainment system to the engine control unit (ECU), to gain access to sensitive data or take control of the car. With modern vehicles becoming increasingly connected, the risk of automotive hacking has become a pressing concern. Indeed, vehicles are becoming more digital complex and connected. Already today, most cars, in addition to central processing units, connectors, and operating systems, come with up to 150 ECUs and ~100mn lines of code. McKinsey estimates that by 2030 cars will come with 300mn lines of code. For comparison, commercial aircraft contains 15mn lines of code. Therefore, it has become essential for car manufacturers to prioritize cybersecurity in their designs and for car owners to take steps to protect themselves from potential attacks.

Your key is not your own

As connected cars are increasingly data-driven technologies, they represent a new frontier for cybersecurity. There are numerous ways in which a car can be hacked, with most depicted below.

One method is through the car's keyless entry system. Hackers can use signal amplifiers or jammers to intercept the radio frequency signals sent between the car and the key fob, allowing them to unlock the car and start the engine. With a technique known as RollBack, hackers can gain entry to a car by simply capturing the signal when the owner locks and unlocks the doors with their key fob and later replaying the signal to access the vehicle. 91% of cars sold use keyless ignition systems that depend on key fob technology, and in recent years ~90% of vehicles recovered by a stolen-vehicle recovery system in the UK were hijacked using key fob attacks. 

An entire deck of techniques to hack your car

Another method is through the car's infotainment system, which is often connected to the internet and other devices through Bluetooth or WiFi. Hackers can exploit vulnerabilities in the system's software to gain access to other parts of the car's system or to steal sensitive data stored on the device. For example, in 2015, security researchers demonstrated how they could take control of a Jeep Cherokee's vital functions through its infotainment system. This led to a recall of 1.4mn Jeep vehicles to address the vulnerabilities.  

Perhaps the most concerning type of automotive hacking, which resembles a pestering DDoS attack on a server, is when hackers gain control over the car's vital functions, such as the brakes, steering, or acceleration. This can be done by flooding the ECU with data (with a device that costs only $27 to build), which controls the car's engine and other crucial systems. Hackers can also access the ECU through the car's onboard diagnostics (OBD) port, which is often left unprotected and can be easily accessed by anyone with a compatible device.

There are also technologies involved in automotive hacking, such as CAN (Controller Area Network) buses. A vehicle bus is a specialized internal communications network that interconnects components inside a vehicle. These buses are often unencrypted and do not have robust authentication mechanisms, making them vulnerable to attacks.

Behind the wheel of danger: skyrocketing growth and new countermeasures

Supersonic growth

With more vehicles connected to the internet and equipped with advanced sensors and computing systems, the potential attack surface is expanding rapidly. According to Upstream, the frequency of automotive cyberattacks rose by 225% from 2018 to 2021, with remote attacks constituting almost 85%.   

However, the industry is still in its early stages and has significant growth potential, i.e., the global automotive cybersecurity market is expected to grow from $2.2bn in 2022 to $7.4bn by 2027 at a 5Y CAGR of 27.0%. This growth is driven by global vehicle digitization, increasing demand for connected cars, government regulations mandating cybersecurity standards, and growing awareness among automotive manufacturers regarding vehicle security. To put that into perspective, there are currently ~1.5bn vehicles in the world (the number is set to double in 10 years, according to the World Economic Forum), and by 2025, 86% of cars are expected to be connected (vs. 41% today), i.e., have at least one way to be connected to remotely or can communicate bidirectionally with other systems outside of the car.

Additionally, the demand for electric vehicles (EVs) will drive additional growth. The EV market is expected to grow at a CAGR of 29.7% between 2022 and 2027, and the increasing adoption of EVs will require robust cybersecurity measures to protect against potential cyber threats. This is because EVs depend on electric vehicle supply equipment (EVSE), known as charging stations. EVSE devices support the electrification of the transportation industry and are the backbone of transportation infrastructure. The potential attack surface is quickly becoming immeasurable as the number of EVSEs is rapidly increasing. European Commission, for example, has set a target of 1mn charging points by 2025, and in the U.S., their number is growing by 10% quarterly. Cybersecurity researchers have identified vulnerabilities in EVSE devices, with the potential impact of attacks on these systems resulting in long-term national transport grid disruption. Therefore, it is evident how increased adoption of EVs will further drive the need for proper automotive cybersecurity. 

Powerful drivers accelerating the sector

One trend driving the automotive cybersecurity industry is the growing collaboration between automakers, technology suppliers, and cybersecurity experts. Synergy is essential for developing effective solutions that can protect vehicles from cyberattacks. Major automakers such as Ford, General Motors, and BMW have already partnered with cybersecurity companies to help address this issue.

Another trend is adopting new technologies that can help protect vehicles from cyberattacks. One such technology is blockchain, which can secure data and prevent unauthorized access. Several automakers have already started exploring the use of blockchain in their vehicles, including BMW and Ford.

Finally, the rise of autonomous vehicles also drives the need for increased cybersecurity measures. Any cyberattack could have serious consequences, with autonomous cars relying heavily on sensors and communication systems to navigate. As a result, automakers are investing heavily in cybersecurity solutions that can protect these vehicles.

Favorable regulation steps on the gas

The regulatory environment is also playing a significant role in the growth of the automotive cybersecurity market. Today, various regulatory standards address vehicles' general and data security to protect consumers. These include data protection laws, standards for software development, communication protocols, and over-the-air updates. For example, the European Union's General Data Protection Regulation (GDPR) includes provisions that require automakers to take appropriate measures to ensure the security of personal data in connected cars.

As regulators are switching their focus on ensuring the secure design and development of autonomous vehicles, further emphasis on consumer privacy and data protection of personal information collected by cars, and the cybersecurity of electric vehicle charging infrastructure, the sector should see an inflow of funds, talent, and innovation further boosting the industry.

Capturing the auto-cybersecurity growth  

As we have hopefully shown, no one is safe unless he is driving a vintage car, and it is a no-brainer that cybersecurity portfolios have to include automotive cybersecurity companies. Already today, investors can get exposure to the automotive cybersecurity sector in a number of ways: through companies that directly provide cybersecurity solutions for vehicles, companies that manufacture vehicles with robust cybersecurity features, or investing in the development of new technologies that can help prevent automotive hacking.

The pure-players take the lead

Companies that are focused on developing and implementing automotive cybersecurity solutions remain mostly private. Working with major automakers, they are best positioned to benefit from the growth in this market. One of the listed players, Aptiv, develops platforms for self-driving cars (in collaboration with Lyft Inc) with cybersecurity solutions integrated across all car systems. Another player, Centri, offers cybersecurity solutions to IoT devices in the automotive industry, i.e., the software installed on chips to protect automotive sensors and data that learn addresses and behavioral patterns from the user. Argus provides smart vehicles with cybersecurity tools that safeguard everything from a vehicle's infotainment center to the networks. GuardKnox creates coding architecture for autonomous cars that operates everything in the car. Harman partnered with International Business Machines Corp to develop the Harman SHIELD, which protects key entry points of a car’s network from hackers. In addition, it continuously performs a threat analysis to determine which points are most vulnerable at any given moment.

Mature companies understand the importance of cyber safety

Car companies are taking automotive cybersecurity seriously and are investing heavily in developing secure systems and protocols. Companies like General Motors, Ford, and Toyota Industries are all making significant investments in this space. General Motors, for example, has a dedicated team of cybersecurity experts working on securing its vehicles. This is not surprising, especially after web hackers have found a myriad of vulnerabilities in the existing car models. For example, some of Kia's and Honda's cars can be hacked only using a Vehicle Identification Number (VIN). Daimler's models are prone to giving hackers access to hundreds of mission-critical internal applications via an improperly configured authentication. Ford, through disclosure of its access tokens, allowed hackers to track and execute commands on vehicles. Continental, the automotive parts manufacturing company, now integrates Argus’ cybersecurity solutions into all of its connected vehicle electronics. Porsche enlisted GuardKnox to improve cybersecurity in its new line of vehicles.

Catalysts

• The rise of connected and autonomous vehicles. As more vehicles become connected to the internet and are equipped with advanced technologies such as AI, the potential attack surface for hackers increases.

• The increasing complexity of vehicle software. Modern vehicles comprise numerous software systems that interact with one another, creating new opportunities for hackers to exploit vulnerabilities.

• The emergence of new attack vectors. As vehicles become more sophisticated, hackers find new ways to target them, such as through wireless networks or over-the-air software updates.

Risks

• Slow regulatory response. Regulations around automotive cybersecurity are still evolving, and slow action from regulators could lead to confusion and a lack of clear standards for the industry to follow.

• Cost considerations. Automotive cybersecurity solutions can be expensive to develop and implement, and automakers may be hesitant to invest heavily in these measures if they don't see a clear return on investment.

• Fragmented industry. The automotive industry is highly fragmented, with many different players involved in the design, manufacturing, and sale of vehicles. This fragmentation could make implementing consistent cybersecurity measures across the industry difficult.