This everyday reality of software-defined vehicles represents a new frontier of potential opportunity and innovation - but also opens new horizons for vulnerability, threat and risk.
Software-defined and built
A software-defined vehicles’ (SDV) digital inventory, along with its supporting back-end infrastructure, is now as essential as traditional hardware components. World Economic Forum/Boston Consulting Group research estimates that SDVs will create over $650 billion in value for the auto industry by 2030, making up 15% to 20% of automotive value. OEM revenues from automotive software and electronics will triple between now and 2030, from $87 billion to $248 billion, according to its analysis of SDV growth.
As the software becomes increasingly key to the vehicle’s value, the supplier ecosystem to OEMs around it grows and becomes more complex - and is continually updated with OTA updates after the vehicle leaves the factory. Estimates point to software-defined vehicles soon producing up to 2 terabytes of data each day. And as the automotive industry handles an ever-increasing amount of data, it faces greater security risks than ever before.
New risks, at scale
Data is changing the economic and operational realities of the automotive sector. For hackers, it also means that ‘value’ no longer lies in the physical vehicle itself, or its contents. SDVs capture and share a wealth of highly valuable data on an individual’s preferences and personalisation. Exploiting this data at scale represents a lot of rewards with relatively low risk.
Along with this, the extended web of providers and suppliers of software, services and connectivity that SDVs depend on increases the potential attack surface and vectors available to exploit it. In a few years, the scale and impact of automotive cybersecurity incidents have dramatically shifted, from low-scale, isolated attacks to very large-scale, high-impact attacks.
Threat opportunity ‘sweet spot’
These reputational, operational, regulatory and financial risks aren’t just theoretical threats. In 2023 a group of security researchers uncovered a range of vulnerabilities in vehicles from 16 car makers - in hacks via telematics, APIs and related infrastructure. These ranged from being able to start/stop the engine and remotely lock/unlock the vehicle, to uncovering a vehicle’s location. They were also able to access various types of information within the impacted carmaker’s environment, including customer accounts and personally identifiable information including names, addresses, phone numbers, and email addresses.
Let’s look at five broad threat channels and the risks and rewards they present to the bad actors aligning with them.
Keyless theft and break-in -Entry or theft giving access to an individual vehicle, focused on bypassing vehicle security systems. Hacking keyless entry requires you to physically steal a car, change its identity or realise the value of its parts – both high-risk operations. This type of threat is very much the thin end of the wedge of automotive security threats in the age of software-defined vehicles, representing relatively low reward in proportion to the amount of effort and sophistication required for criminals.
Remote vehicle cyber-attacks – Potential remote attacks that change a vehicle’s operating behaviour. The most serious type of attacks could impact control and safety functions with the potential for actual physical harm or worse - with huge reputational and financial consequences. Although an eye-catching scenario, remotely controlling a vehicle requires a lot of effort and sophistication, making this for now a far less likely vector for threat in the immediate term.
Data intercept over cellular networks - 5G and a coming generation of cellular technologies are a cornerstone of delivering connected vehicle capabilities - and provide the backbone of Vehicle-to-Anything (V2X) connectivity. Linking vehicles, cloud, personal devices, IoT and more, the network connection itself is attractive to hackers. Attacks using this vector are highly complex but expected to become more widespread as cars become more sophisticated and interconnected.
Back-end telematics platform attacks - Attacks focused on the platforms that manage and deliver OTA updates and other services to customer vehicles, across millions of vehicles. This includes data covering millions of vehicles and the PII (Personal Identifiable Information) of their owners - and can be delivered remotely and may not be detected at the time of the breach. This data is a lucrative fuel for wider cybercrime, including identity theft.
Malware - Malicious software can be introduced through various means, including infected software updates, compromised apps, or connected devices. Once embedded, it can execute unauthorised actions ranging from data theft to disrupting vehicle operations. As vehicles become more software-dependent, the threat of malware becomes more pronounced, requiring robust cybersecurity measures to detect, prevent and mitigate these risks.
Security starts at the platform level
What does all this point to? Exploiting vulnerabilities in the back-end telematics platforms and OTA backend now represents the single greatest opportunity for hackers - and the greatest source of vulnerability to auto OEMs, their customers, and their supplier and service ecosystems.
We are working with many OEMs to prioritise data security at a platform and network level to protect their customers and data. This requires a robust ring-fencing approach which entails:
Adopting multi-layered security to defend the network, vehicle, and applications
Minimising and encrypting at-rest and in-transit data
Implementing multi-factor authentication (MFA) and role-based access control (RBAC)
Blocking both data and SMS vehicle-to-vehicle communication to reduce the attack vector
Conducting regular audits, testing, updates and patching to reduce vulnerabilities
Developing and maintaining an incident response plan to combat any breaches or incidents
Keeping pace with industry standards and compliance, including GDPR, CCPA, and region-specific regulation.
Older devices often depend on SMS for configuration, which poses significant security risks. Today, many providers offer users the ability to control SMS traffic within their networks. Implementing custom allow and block lists can help manage SMS communications to and from devices while blocking M2M connectivity by default on APNs can significantly reduce the risk of malware or malicious attacks spreading across a network.
As more vehicles become connected, this is vital for OEMs to protect their customers and ecosystems from evolving cyber threats. Without the necessary defences in place, the potential attack surface will widen, making it easy for hackers to exploit. As we have seen, these threats are no longer theoretical, but the right approach to data security means they do not have to become a reality.
