Report reveals alarming level of connected car threats – and the best way to solve them
A report from security services provider IOActive argues that almost half of the vulnerabilities found in connected cars are either ‘critical’ or ‘high’ impact.
The research categorised each of its findings in five ratings. Critical, or a score of five out of five, would result in “extreme impact” to a vehicle and would be a flaw which receives media attention. High impact (4/5) could be a regulatory violation and “major” for the vehicle, while medium, low, and informational go down incrementally.
Across all vulnerabilities analysed, there was little to choose between critical (25%), high (25%) and medium (23%) for impact. In terms of likelihood, the most frequently cited was medium (43%), ahead of high (21%) and critical (7%); yet the researchers define medium as a vulnerability where “an expert attacker could exploit [it] without much difficulty.”
Two in five (39%) vulnerabilities go through the network, according to the research, while the cell network (16%), USB (13%), and CANBus (10%) were also highly cited.
Perhaps the most interesting facet of the report came from the ‘ounce of prevention’ section, which was also the most subjective. 45% of respondents said following industry best practice documents – such as Microsoft, the Auto-ISAC, and ARM, was the best way to avoid being pinged.
Code review and testing (25%) and secure coding practices (11%) were also noted, although here the report argues: “Catching coding logic errors can be extremely difficult, but following modern software principles such as test-driven development can do wonders for improving a code base and hardening against unexpected behaviour and bugs.”
Of course, if you fall victim then the consequences could be very serious. Corvette, Chevrolet and Mitsubishi are just three car manufacturers whose products have been hacked over the past 12 months. Yet the IOActive report gives a realistic view of what lies ahead.
“The majority of vehicle cybersecurity vulnerabilities are not solvable using ‘bolt-on’ solutions, instead relying on sound engineering, software development practices, and cybersecurity best practices,” the report concludes. “The most effective cybersecurity work occurs during the planning, design and early implementation phases of products, with the difficulty and cost of remediation increasing in correlation with product age and complexity.”
You can read the full report here.