Cybersecurity threats to vehicles have been around since the first car with cloud-based features, such as real-time navigation and remote diagnostics, rolled off the assembly line and onto the street.
For more than a decade, vehicles have become mobile computers, and with each new feature added internally and external devices connected, the surface for cyberattacks has become greater. While innovations in technology and features have advanced exponentially, cybersecurity has lagged – until recently.
Tuanbo Guo, CEO of Vultara, described the “automotive cybersecurity world” as “chaotic” but has improved. He said manufacturers focused more on protecting the factories and less about the vehicles.
“Five years ago, it was easy to hack a car,” he explained. “Now, it’s more protected.”
Guo recognized the deficiencies in protection and founded Vultara, a Troy, Michigan-based cybersecurity firm specializing in the automotive field. Their products and services are not used in vehicles but strengthen a company’s cyberdefenses within the manufacturing facility with the mission to “secure the connected world by promoting the secure-by-design principle for cybersecurity in cross-functional product engineering teams. Risks should guide design decisions for products that transform our lives so that our physical world will not be threatened.”
Vultara helps automakers maintain effective cybersecurity through its software and consulting services designed to help navigate the myriad of technical hurdles and knowledge shortfalls. The company works within the factories, ensuring the processes of building vehicles are followed. Its software is a tool to help accomplish that objective.
“They already have requirements and regulations, but the problem at the site is that no one understands them,” Guo said. “We help them follow those mandates.”
One such regulation is UNECE WP29 R155, which stipulates the requirements for cybersecurity and cybersecurity management systems. The goal is to promote cooperation and sustainable development and create common terminology. The United States is not required to follow the regulations, but they are mandatory for all new vehicles produced and sold in the European Union.
Another set of guidelines is found in ISO/SAE 21434, which was developed by the International Organization for Standardization and SAE International. The standards are not required but offer a framework of best practices and processes for the automotive industry. Guo helped create the standards outlined in ISO/SAE 21434.
Cyberattacks encompass phishing scams, ransomware, malware, software piracy, and brute-force attacks, in which hackers continuously try different usernames, passwords, or encryptions to gain access to a system.
The ways a company is under cyber threats can be intimidating, but the key, Guo said, is to deal with the “more feasible” or “easier to do” cyberattacks by looking at “the entire spectrum of cybersecurity threats and identifying the low-hanging fruit. Once a manufacturer can handle those, it’s a big start.”
Vulatara’s protection of the production system includes:
- Security key handling – Generate symmetric or asymmetric secret keys, derive security keys according to your customer’s specifications, store keys in your production site securely, and inject keys securely into your electronics product.
- Certificate handling – Generate certificates, extract certificate signing requests, or register certificates according to your customer’s specifications.
- Secure communications – Build security channels with your products, with other servers, or throughout your supply chain. Establish your own global secure manufacturing system.
The company offers consulting services that assess threat levels and examine process development, gap analysis, TARA services, cybersecurity design, culture and training, and requirements.
AI’s increasing use in cybercrimes has not gone unnoticed by Vultara.
“AI has two edges,” Guo explained. “It can help the bad guys, but it can help the defenders in so many applications. AI filters online traffic between a car and the OEM (Original Equipment Manufacturer), and it can see what’s malicious.”
He said researching the likelihood of attacks requires a great deal of time, but AI reduces the labor needed to assess risks and predict the feasibility of an attack. Vulture currently uses AI in its cyber defense and plans to increase its use.
AI can aid hackers in stealing cars, turning back the mileage on odometers, and unlocking features that automakers charge the consumer, costing the industry money.
“At the end of the day,” Guo said, “each car and each device has secrets. The goal is to protect those secrets and the interactions between the devices.”
Sidebar
Vehicle vulnerabilities
Vehicle cybersecurity has advanced greatly during the past five years, but automakers and owners must remain vigilant to prevent attacks. Surface areas that are vulnerable include:
Sensor Spoofing: GPS Spoofing, LiDAR & Camera Manipulation
Wireless Attacks: CAN Bus Exploits, Bluetooth & Wi-Fi Exploits, Cellular & Telematics Attacks
Key Fob & RF Attacks: Relay attacks (signal boosting to steal fob’s signal); Rolling Code Attacks (intercepting older codes)
Malware & Software Exploits: OTA (Over-the-Air) Update Exploits, Compromised Mobile Apps
Physical Access Attacks: OBD-II Port Hacking, USB Exploits
Case Study Provided by
