As the modern vehicle becomes smarter and more connected, everything from safety systems — such as steering, acceleration and brakes — to infotainment systems are controlled by some sort of computer. The car of today — and especially tomorrow — relies on countless lines of software code to get those wheels moving, a reality that has placed increasing importance on automotive cybersecurity. When you think about it, the auto industry is blurring the lines between transportation and software.

A recent survey of auto manufacturers from Synopsys and SAE International found that 62 percent of respondents think it is likely or very likely that malicious attacks on their software or components will occur within the next 12 months. The study also revealed that software security is not keeping pace with technology in the automotive industry and, as a result, connected vehicles have a range of unique security issues.

Even more concerning, 30 percent of survey respondents said they do not have an established product cybersecurity program or team. What steps should auto manufacturers take to avert the potential damage cyberthreats could cause to the industry?

The Transportation Industry in Transformation

To answer these questions, I figured it was best to go straight to the source. Chris Clark, principal security engineer for strategic initiatives at Synopsys, co-authored the aforementioned study and possesses in-depth knowledge of the auto industry from a high level down to the technical weeds.

The reality for the industry, according to Clark, is that car manufacturers have always been software companies because for many years they’ve had microcontrollers that perform some level of action. Depending on the type of car you drive, you may have capabilities such as Apple CarPlay, Android Auto or even a digital storefront from which you can add apps and capabilities to your infotainment system.

“We’re going to continue to see that progress,” said Clark. “And the only way you can do that is to be a software house. That’s where the industry is.”

Before we dive in, just to be clear, the purpose of the study — and, for that matter, this article — is not to scare you. Instead, it should be viewed as more of a learning tool.

“I think a lot of people had the same initial response that you had [about the study],” Clark told me. “But one of the takeaways I want to get out of this is that [the study] is really more of a helping document. I hope the technical person, middle management, etc. can reach up to the higher-level offices and say, ‘Here are the challenges we really face and how can we reevaluate the direction we’re going from a security perspective.'”

Assessing Realistic Threats to Automotive Cybersecurity

Reading the report, it’s evident that the industry is facing some severe cybersecurity challenges. The ramifications, however, are not as dire as they seem — at least in the short term. While the vulnerabilities that exist for auto manufacturers need to be addressed ASAP, the risk is more localized.

“When we talk about safety in the automotive industry, yes, there is a potential for hackers to take control of the vehicle and cause some malicious activity,” Clark said. “But right now, we’re so early in this security model … most of the discussions taking place revolving around automotive security aren’t realistically that applicable yet.”

For instance, say an attacker discovered a vulnerability in the infotainment system of a connected vehicle and went on to perform some level of control with the vehicle. According to Clark, it’s not very likely that the threat actor would be able to exploit that in the entire fleet of cars.

In the short term, there is a concern about malicious actors gaining access to personally identifiable information (PII) and/or injecting malware to deny access to a vehicle. In the malware scenario, there’s a parallel to be drawn to ransomware, where you’d need to call an 800 number and turn over thousands of dollars just to turn your car back on.

Interconnectivity Takes the Wheel

Make no mistake: The threat potential is significant, especially as we move toward a future of autonomous vehicles, where discussions around artificial intelligence and machine language will come into play. According to Clark, to do this effectively, vehicles will need to harness abundant local computing power to provide the amenities that the consumer is looking for.

We also must remember that the automobile is just one part of a growing tech-enabled transportation ecosystem. It’s not only car manufacturers that need to address cybersecurity concerns; because our vehicles are communicating with other vehicles, traffic signals and more, security plays a role well beyond the individual automobile.

The city of Los Angeles, for example, has been making progressive investments in public transportation, bicycle lanes and alternative transportation. Soon, it will launch a new data sharing platform. Ted Ross, general manager and chief information officer for the city’s Information Technology Agency, understands that there are tremendous benefits to networking a service — in this case, transportation — and making it digital. Equally important, however, is the investment required to secure these services.

“If not properly secured, [the automobile] becomes an entry point for malicious actors,” Ross said. “Automated cars, traffic signals and urban infrastructure become a tremendous liability if hacked and compromised by criminals.”

The concern for Ross — and any other smart city like Los Angeles — is that an insecure ecosystem could allow criminals to gain access to user payment accounts, personal data and possibly even the digital systems — e.g., automated braking, acceleration and autonomous vehicle guidance systems — used to ensure the safety of riders and pedestrians.

“Cybersecurity is paramount in a rapidly digitizing society,” Ross noted.

It’s safe to assume the most pressing issue for the automotive industry is the collective security practices of all manufacturers involved in the supply chain. The frequent integration of third-party components, software, communications protocols and applications can introduce threat vectors that original equipment manufacturers (OEMs) must address.

A Considerable Amount of Work Still to Be Done

To improve automotive cybersecurity, the industry can implement several strategies. Most importantly, according to Clark, companies in the industry need to ask the same important questions that apply to any industry. Have we hired the right people? Have they been trained properly? Do they have the education they need from a cybersecurity standpoint?

Industry leaders looking to make use of best practices can also turn to helpful resources such as:

Despite the startling statistics and an industry fraught with challenges, there’s one nugget of information from my conversation with Clark that stood out from the rest. When you look at the automotive space, cybersecurity is a relatively new consideration.

“Ten years ago, we wouldn’t even be having this discussion about computing platforms and vehicles,” Clark said. “We look at cybersecurity in the automotive space; we’re like toddlers. Security in the space is only two, three years old, and maybe some [companies] are a little more ahead, a little bit more mature, but this is the early days.”

It’s a positive sign that research demonstrates how automotive industry leaders are jumping on the bandwagon to address the challenges they’re hearing about. To make real progress, Clark says there still has to be discussions within and between organizations on how to address potential vulnerabilities and challenges to integration related to security.

“Those discussions are happening, but they’re not happening enough,” said Clark.

There’s still a considerable amount of work to be done. While the Synopsys report isn’t meant to sensationalize the threat, perhaps it’s the wake-up call the industry needs.

More from Endpoint

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…