January 2024: Scalable Attacks on Connected Vehicles

When
January 10th, 2024 11:00 AM EST

Who
Ramiro Pareja Veredas, Principal Cybersecurity Consultant, IOActive & Yashin Mehaboobe, Senior Cybersecurity Consultant, Xebia

What
“Scalable Attacks on Connected Vehicles”

Description
For the last 10 years, the automotive industry has been involved in an electrification and automation process that is revolutionizing the way we drive. The fundamentals of this deep transformation are battery-powered engines, self-driving cars, and connected vehicles. These technological advances - especially vehicle connectivity – bring about many new cybersecurity challenges that need to be addressed in the coming years.

The goal of the work that we present here assess the current state of connected vehicle cybersecurity. Compared with other works already published, in which the researchers chose to attack a popular modern car, IOActive focused on other automotive components and systems that cybersecurity experts - and car designers - usually overlook, and which could be abused to launch scalable and massive attacks. We analyzed devices including telematics, OBD2 dongles, 5G modems, MQTT servers, and mobile apps, aiming to get a broader picture of the state of automotive cybersecurity, expanding on the existing view based limited to the vehicles themselves.

IOActive’s research identifies multiple vulnerability issues that can be exploited remotely to gain full control of an entire fleet of cars, heavy-duty trucks, and cranes. Although our work is limited to a few devices - not enough to draw an industry-wide conclusion - it indicates that these types of cybersecurity issues might be common and that the cybersecurity of connected automotive systems needs to be improved.