This is the first article in a series. Be sure to read Part II for the full story.

Since the inception of the first vehicles in the early 20th century, the automotive industry has gone a long way to satisfy market-driven requirements and evolve cars into a means of transportation that engages state-of-the-art electronics and information technology for passengers’ comfort and entertainment.

The Value of Connected Vehicles

In particular, recent years have seen vehicle connectivity as a fundamental part of the connected society. This gives rise to a host of value-add services that benefit all stakeholders in the automobile ecosystem. The value proposition of connected vehicles has been rapidly embraced by the industry, with expectations for 250 million connected vehicles shipped by 2020, according to a Gartner report.

Stake Holder Value-Add Services (examples)
Car owners Social navigation (e.g., Waze), individualized infotainment, automated driving support.
Automakers Enablement for new business models and revenue streams (e.g., pay-as-you-drive models for car insurance), proactive aftermarket diagnostics (e.g., predictive maintenance), over-the-air ECU firmware updates.
Businesses Optimized transport services such as real-time fleet management.
Municipalities Smart city services such as traffic congestion management and emission control.
Scroll to view full table

Table 1: Benefits for Stakeholders

However, along with the benefits of connected vehicles come the risks associated with security breaches, as well as concerns over data privacy. The reason for this is that the automobile, a product that was originally purely mechanical, has evolved into a complex IT network on wheels. Vehicle original equipment manufacturers (OEMs) have always been keen to put driver safety as a top priority, and this has been the major motivation behind developing driver assistance systems. While these programs have dramatically improved passengers’ safety over the last decade, cybersecurity risks became relevant for the OEMs when the vehicle became connected to the Internet and offered outsiders access to the vehicular network.

Nothing Is Without Risks

These risks are now amplified by the fact that modern vehicles are among most complex software-driven system invented by mankind. Certain studies have estimated that an average modern car hosts around one hundred million lines of software code, roughly twice the size of the software that drives the Large Hadron Collider in Switzerland, the largest particle accelerator ever built.

Moreover, vehicle software and firmware manage anywhere between 70 to 100 electronic control units (ECUs), which are connected by many Controller Area Networks (CANs). Since vehicles now employ multiple communication protocols to connect with other machines and infrastructure systems, and they are equipped by a host of related communication features (e.g., Bluetooth, USB ports and even near-field communications), the connected vehicle threat surface is wide and highly exposed to attacks, as various researchers have observed.

Many credible automakers have fallen prey, often publicly, to attackers that exploited those vulnerabilities. Those automakers were forced to issue expensive recalls in order to patch security vulnerabilities. They likely have also incurred indirect damages to brand value and reputation.

Using an IDS for Protection

Given the high stakes, industry players conduct important research to develop solutions for securing connected vehicles. A popular approach pursued by several vendors is a specialized intrusion detection system (IDS) for vehicles, wherein elaborate analysis algorithms — possibly implemented in an embedded device — are used to continuously inspect the car’s internal communication network. When a threat is detected, a corrective action is taken; for example, the communication channel is blocked, and an alert is potentially raised.

While the vehicular IDS approach has merit, it also has limitations. First, a vehicular IDS mainly inspects and reasons about communication traffic exchanged among the ECUs over the vehicle’s CANs. While this information is important, especially if an IDS applies elaborate analysis techniques, the insights obtained from such local analysis represent only a relatively small subset of relevant security events internal to the vehicle’s environment. Some attacks on the vehicle may be detected with this approach, yet many sophisticated attacks — such as Sybil attacks, where an adversary forges the identities of many imaginary cars to subvert the network — will remain undetected.

Another limitation of vehicular IDS is the constrained processing and memory resources that such a device can consume due to the cost sensitivity of automakers and price sensitivity of buyers. Those constraints and the low computational footprint available for an IDS in the car inherently limit the performance and quality of the security coverage that can be provided.

The Final Word

A comprehensive solution for connected vehicle security must reconcile conflicting requirements and address multiple design challenges. On the one hand, as described above, the threat detection potential at the vehicle level is limited; on the other hand, a centralized, server-based architecture will not be a proper solution either. The dynamics and scale of a broad vehicular network would impose severe computational and communication costs in managing the network and uploading security data from the vehicles to the server. A solution that provides a comprehensive real-time security view must therefore reconcile the above design trade-offs and integrate multiple capabilities.

In the coming International Motor Show in Frankfurt, Germany, we will present a prototype solution for securing connected vehicles, based upon research conducted by IBM in its Cybersecurity Center of Excellence in Israel. Our solution is based on a client/server architecture where an in-vehicle component communicates with a cloud-based server component. Using a novel approach for coordinated anomaly detection, this powerful solution, designed in the IBM Lab, can identify attacks on the integrity of both individual vehicles and across vehicle networks.

More from Endpoint

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…