How can connected cars resist malicious attacks? - The latest security trends in the automotive supply chain

2022 / 08 / 11

The Internet of Vehicle (IoV) has transformed the automotive industry. All kinds of connected cars have sprung up, such as vehicle equipped with Advanced Driver Assistance Systems (ADAS), self-driving car, and electric vehicle. These vehicles improve mobility and convenience but also face cyber attacks. The number of malicious attacks on connected cars has increased from about 65 million in 2011 to about 1.1 billion in 2020. With more than 11,000 Common Vulnerabilities and Exposures (CVEs) released worldwide, attacking connected cars has become a new target for hackers. Up to now, there have been a number of cyber security incidents that have been remotely invaded by hackers in international automobile manufacturers, resulting in serious security crises.

According to a market research report, the global automotive cybersecurity market value was US$7.23 billion last year, and is expected to reach US$32.41 billion by 2030, with a compound annual growth rate of 16.6%. The demand for automotive cybersecurity solutions is increasing. Many connected cars have the same security vulnerabilities. The auto industry's approach is mostly to patch individual vulnerabilities, but it neglects to consider potential threats from the beginning of the design. Therefore, there are hidden cybersecurity risks in the supply chain. Taking an important component in a car - Event Data Recorder (EDR) as an example, hackers can implant viruses in the EDR to eliminate evidence related to a car accident, so car manufacturers need to clearly understand the source of the software used in the EDR. The use of open source software with potential vulnerabilities is one of the main reasons for cybersecurity risks.

The common cybersecurity threats and attack methods for connected cars include man-in-the-middle (MITM) attack on vehicle through mobile phone or Wi-Fi connection, direct intrusion into vehicle control system, and attack on the browser kernel of in-vehicle displays. In addition, after hacking, hackers can launch attacks on the vulnerabilities of the automotive operating system, such as escalating permissions or executing arbitrary code, as well as launching supply chain attacks during automotive software or firmware upgrades. How should the automotive industry respond to supply chain attacks? Complying with international regulations and standards is the best start. The United Nations Economic Commission for Europe (UNECE) has stipulated that in 2024, all new cars in the world will be required to comply with the new Automotive Cybersecurity Regulation (R155). In addition, the automotive cybersecurity standard ISO/SAE 21434, officially released last year, provides a rigorous framework to ensure cybersecurity throughout the automotive supply chain.

What should you do when you discover that an in-vehicle software vendor's product contains open source software with malware? You can establish a third-party software management mechanism. Device developers should establish a software bill of materials (SBOM) for the software used by their devices, listing all open source software used, as well as a list of known vulnerabilities, major developers, and their companies and organizations for each package. At the same time, tracing the source of software and analyzing the composition of the software supply chain should be performed through firmware scanning.

Onward Security's SecDevice IoV vulnerability detection tool complies with the relevant known and unknown vulnerability testing requirements for IoV basic applications, cybersecurity, and networking functions. The tool includes in-vehicle system OS vulnerability scanning, communication network fuzzing, and fuzzing of communication protocols connected to external Wi-Fi networks. The SecSAM open source software risk management system manages the firmware and software component information of vehicle products through the concept of software bill of materials (SBOM), which can improve the transparency of the software supply chain, establish a cybersecurity bill of materials (CBOM), and manage information such as components and CVEs used in products. When an automotive cyberattack occurs, you can instantly know whether there are corresponding vulnerabilities in your own products, and respond and deal with them in advance before the damage is further expanded.

SecSAM            SecDevice