More baked-in security required…
Connected cars are at risk of hijacking, eavesdropping and even DDoS attacks, Europe’s cybersecurity agency ENISA warned today, in a new report that lays out a series of potential threats to semi-autonomous vehicles — and which is designed to serve as a reference point for robust vehicle cybersecurity across Europe.
“Smart cars’ increased connectivity and automation expose them to several crucial cyber threats. Those threats may directly target smart cars or their surroundings such as RSUs, traffic signs/lights or even remote servers of the OEM or third-party service providers”, the Greece-based agency warned, detailing various measures to bolster the cybersecurity of increasingly cloud and network-connected vehicles.
These range from regular penetration testing, through to the enforcement of session management policies to avoid session hijacking, and more specific measures like code obfuscation techniques to prevent reverse engineering of smart car mobile applications: guidance that comes as part of a detailed new asset taxonomy.
Vehicle Cybersecurity: Beware RSU-Based Attacks
The automotive industry is undergoing a “paradigm change” towards connected and autonomous vehicles, the agency notes, saying that so-called smart cars already provide connected, added-value features in order to enhance car users’ experience or improve car safety: “With this increased connectivity (that the emergence of 5G is expected to further promote) novel cybersecurity risks and threats arise and need to be managed”.
Among the risks it raises: Denial of Service attacks that may target (or originate from) RSUs [Ed: road-side units: computing devices located on the roadside that provide connectivity support to passing vehicles or IT systems]”, ENISA warns in the report.
” An attacker may for instance shut down the RSU (via physical access or remotely), overload the system with messages to process or even jam radio
communications, etc. In-vehicle components can also be the target of DoS attacks. For instance, overloading the CAN bus with malicious messages will alter the vehicle behaviour”, ENISA warns, in guidance that may sound familiar to security teams working across any industry, with its suggestions of regular Red Teaming, including a security role within the product engineering team and taking a “DevSecOps” approach.
Such warnings may appear speculative when easier attacks on vehicles are so much more widely available (ie. a dropped brick) , but which is designed to get policy makers and industry baking in best practice across nine specific fields, spanning:
- Protection of Networks and Protocols
- Software Security
- Cloud Security
- Access Control
- Self-Protection and Cyber Resilience
- (Semi-) Autonomous Systems Self Protection and Cyber Resilience
- Continuity of Operations
AI and ML systems could even be fed false data and be fooled into thinking a crash has occurred via the use of sounds; or a magnetic attack could target the odometric motion sensor data disorientating the system. While on the lower end of plausibility, someone could instigate a physical DoS attack jamming the car’s sensors by overloading it with too many objects to track or they could simply blind the camera.
Enisa notes that there has been experimental remote attacks: “on autonomous cars’ cameras and Light Detection and Ranging (LiDAR) systems showing effective camera blinding, making real objects appear further than their actual locations or even creating fake objects.” The full report can be found here.