1、 2023 Upstream Security Ltd.All Rights GLOBA�����L AUTOMOTIVE 2023The Automotive industry is rapidly expanding into a vast smart mobility ecosystem,introducing ne�����w levels ofcyber sophistication andattack vectors 2024 Upstream Security Ltd.All Rights ReservedGLOBAL AUTOMOTIVE CYBERSECURITY REPORTThe autom
2、otive cybersecurity inflection point:From experimental hacking to large-sc��������ale automotive attacksthe focus shifts to impact.20242 2024 Upstream Security Ltd.All Rights Reserved2TABLE OF CON������TENTSOpening letter from our CEO Methodology Executive summary Chapter 1:The automotive cybersecurity inflection
3、 point Analyzing the potential scal������e of automotive cyber risks Threat actors motivation has also shifted towards scale and massive impact The financial perspective:the rising cost of cyber attacks on the Automotive and Smart Mobility ecosystem The internal impact:the dynamic SBOM Spotlight:social me
4、dia has becom�������e a breeding ground for automotive cyber activities The Automotive and Smart Mobility ecosystem is entering a new era of GenAI,democratizing attacks but also cyber defense Chapter 2:Automotive cybersecurity trends Review of incidents Overview of 2023 CVEs The EV charging ecosystem is ra
5、pidly expanding Commercial fleets Smart mobility IoT devices&services Insurance Autonomous vehicles The impact of Ri�������ght to Repair on agriculture vehicles Chapter 3:2023s diverse attack vectors Increasingly sophisticated attacks open the door for large-scale impact across the entire ecosystem Telemat
6、ics and application servers Remote keyless entry systems ECUs APIs Mobile applications Infotainment systems EV charging infrastructure Bluetooth OTA upd�����ates V2X attacks 45684748485052535556595963 2024 Upstream Security ������Ltd.All Rights ReservedChapter 4:The regulatory
7、reality Generative AI is reshaping the Automotive and Smart Mobility ecosystem,but regulations are still evolving Cybersecurity regulations make headway wo�����rldwide The expansion of UNECE WP.29 R155 and ISO/SAE 21434 The EU Cyber Resilience Act promotes extended cybersecurity resilience ISO 1511�����8 secu
8、res vehicle-to-grid communications The SEC echoes t�������he increasing focus on cybersecurity incidents NHTSA updates cybersecurity best practices EV charging infrastructure cybersecurity regulations continue to expand and deepen������ Vehicle data and privacy regulations are inevitable Chapter 5:Threats from t
9、he deep and dark web What is the deep and dark web?Gray hats blurring the line between black hats and white hats What occurs in the deep and dark web?Ransomware actors increasingly target automotive suppliers Chapter 6:Automotive cybersecurity solutions Protec������ting the vehicle during its entire lifec
10、ycle Security by design Multi-layered cybersecurity������� stack Developing an effective vSOC Automotive-specific threat intelligence offers a proactive approach to risk Upstreams cloud approach to automotive cybersecurity The Upstream������ Platform Upstream Managed vSOC Enhancing vSOC investigations with GenAI
11、 Upstream AutoThreat PRO Cyber Threat Intelligence Chapter 7:Predictions for 2024 References TA�������BLE OF CONTENTS67686972787980896029130132It is my pleasure to present you with the 2024 Global Automotive Cybersecurity Report.Connectivity and software-defined
12、architectures have been at the forefront of monumental changes in the Automotive and Smart Mobility ecosystem over������� the past several years,but as more functionality is being exposed,cybersecurity risks are growing dramatically.This report,which marks Upstreams sixth an������nual report,analyzes how Automot
13、ive and Mobility ������cybersecurity risks have evolved from experimental hacks to la�����rge-scale attacks,shifting the industrys focus to impact.As predicted last year,automotive cybersecurity is reaching an inflection point.Cyber incidents have grown significantly in risk and impact,threatening safety and c
14、arrying operational implications.With threat actor motivation shifting towards large-scale impact on mobility assets,stakeholders across the ecosystem must also evaluate the potential financial implications of cybersecurity incidents.O�����ver the last year,the Auto���motive and Smart Mobility ecosystem ado
15、pted new standards and collaborated with regulators around the �������world on how to adapt fut��������ure regulations to keep connected and software-defined assets secure.Weve also been busy preparing for the upcoming second milestone of UNECE WP.29 R155,scheduled to take effect in July 2024,increasing its scope
16、to all new vehicles.2023 was the year of the GenAI revolution.GenAI is increasingly used by threat actors to introduce scale and new attack methods.But,in the coming months and years Ge��������nAI will also transform automotive cybersecurity tools and workflows and introduce unprecedented efficiencies to vS
17、OC teams.This inflection point illustrates the progress that adversaries continue to make,and reaffirms our commitment as an industry to continually innovate and deliver secure automotive and smart mobility experiences.Upstream has led the effort to secure connected vehicles and mob������il��������ity assets sinc
18、e 2017,when we first introduced the Upstream Platform,which proved to be a fundamental,innovative pillar in the automotive cybersecurity technology stack.Weve been helping some of the worlds leading Automo�����tive and Smart Mobility organizationsOEMs,suppliers,mobility IoT vendors,fleets and mobility se
19、rvice providerscomply with cybersecurity regulations and protect millions of vehicles and mobility assets.With advanced cybersecurity tools and knowledge at our disposal,we are well-equipped to overcome the challenges in 2024����� and ahead.Be��������st regards,Yoav LevyCo-Founder&CEOOPENING LETTER FROM OUR CEO5
20、 2024 Upstream Security Ltd.All Rights ReservedMETHODOLOGYThe Automotive industry relies on Upstreams continuously���� updated database of cybersecurity incidents.To compile this comprehensive report,Upstream researchers investigated over 1468 incidents,some as early as 2010,and monit������ored hundreds of de
21、ep and dark web fo��������rums to compile this comprehensive,actionable report that will help you safely navigate the year ahead.Upstream monitors and analyzes worldwide automotive cyber incidents to learn,understand,and help protect the entire Smart Mobility ecosystem from existing and emerging threats.Ups
22、treams AutoThreat1 cyber threat intelligence platform uses advanced technology and automation tools to constantly�� search all layers of the web for new cyber incidents in the automotive ecosystem a��������nd index them to the AutoThreat platform.Our researchers and analysts carefully categorize and analyze t
23、he data we collect to gain a deeper underst�������anding of cyber threats,adversaries motivation and activities,and their impact on mobility �������assets.Each incident and relevant contextual datasuch as the attacks geolocation,impact,attack vector,company type,and required proximity of the attacker to its targe
24、tare added to the platform to create an���� ac������curate and actionable repository.Incidents examined in this report were sourced from the media,academic research,bug bounty programs,verified social media accounts of government law enforcement agencies worldwide,the Common Vulnerabilities&Exposures database
25、,as well as other publicly-availab������le online sources.In addition to publicly reported cyber incidents,Upstreams analysts monitor the deep �������and dark web for threat actors that operate behind the scenes of automotive-focused cyber attacks.These incidents are discussed in a separate chapter of this repor
26、t titled T����hreats from the Deep and Dark Web,and are excluded from statistics and charts in other chapters,unless indicated otherwise.While every effort has been made to identify and analyze every reported automotive and smart mobility cyber incident,there may be add�������itional attacks that have not been
27、 publicly reported,and therefore,have not been included in this report.Select details of the publicly reported incidents are available in the AutoThreat Intelligence Cyber Incident Repository.Additionally,a co����mprehensive analysis is available to AutoThreat PRO2 customers.6 2024 Upstream Se���������curity Ltd
28、.All Rights ReservedEXECUTIVE SUMMAR�������YConnectivity is continuing to transform the Automotive and Smart Mobility ecosystem,increasing cybersecurity risks as more functionality is exposed.2023 marked the beginning of a new era in automotive cybersecurity.Each a����ttack carries greater significance today,a
29、nd may have global financial and operational repercussions for various stakeholders.Upstreams 2024 Global Annual Cybersecurity Report examines how cybersecurity risks have evolved from experimental hacks into large-scale risks,focusing on safety and trust,operational availab�������ility,data privacy,and fi
30、nancial implications.In 2023,Automotive and Mobility cybersecurity witnessed a dramatic shift toward large-scale incidentsThreat a�����ctors motiva�������tion has also shifted towards scale and massive impactOEMs take a multifaceted approach to protecting connected and software-defined vehicles,as well as IoT/O
31、T assetsof deep and dark web cyber activities had the potential to impact multiple stakeholders,on a global scale.GenAI has the potential to transform automotive cybersecurity solutions a����nd operations,enabling agile investigations,automating vSOC workflows,and even generating complex insights based
32、on deep and dark web data and in������-depth TARA.of attacks were remote50%65%37%95%64%The proportion of incidents with a“High”or“Massive”impact dramatically doubled from 2022 to 2023,accounting for nearlyof all incidentsof attacks were executed by black hat actors With frequent OTA updates,the SBOM is no
33、 longer staticbut rather constantly evolving,long after a vehicle leaves the factoryand risk profiles continuously change.The growing reliance on backend systems highlights the urgent need for OEMs to safeguard both the soft�����ware components and sensitive data.of deep and dark web cyber activities ���had
34、 the pote�������ntial to impact thou������sands to millions of mobility assets.7 2024 Upstream Security Ltd.All Rights Reserved01020304PREDICTIONS FOR 2024Generative AI will have a profound impact on automotive cybersecurity stakeholders,introducing new large-scale attack methods but also equipping stakeholders
35、with advanced detection,investigation and mitigation capabilities.The competitive advantage in the Automotive industry will continue to be driven by digital transformation,re�������quiring stakeholders to secure APIs and expand vSOC coverage to monitor API-rel��������ated threats.Initial signs of regulatory fatigu
36、e,amid the maturity of UNECE WP.29 R155 and the abundance of new regulations emerging worldwide,mainly in China.OEM�������s and Charging Point Operators(CPOs)continue to deepen cybersecurity risk assessments,and deploy cybersecurity solutions to protect strategic EV charging infrastructure.01.THE AUTOMOTIV
37、E CYBERSECURITY INFLECTION POINTFrom experimental hacking to large-scale automotive attacks,the focus shifts to impact9 2024 Upstream Security Ltd.All Rights Reserved2023 MARKS THE BEGINNING OF A NEW E�������RA IN AUTOMOTIVE CYBERSECURITYConnectivity has been at the forefront of monumental changes in the A
38、utomotive and Smart Mobility ecosystem over the past several yearsenabling over-the-air(OTA)updates,software-oriented architectures,adv�����anced digital experience,and a wide array of value-added applications and services.In modern software-defined vehicles(SDVs),connectivity is used to improve and upgr
39、ade vehi�����cles throughout their life cycle,generate revenue from a wide range of feature-on-demand services,and offer innovative data-driven customer experience,ultimately creating deeper and longer relationships with customers.In connected vehicles,OEMs use OTA updates to fix quality and usability is
40、sues,tune core functional capabilities,������and patch cybersecurity vulnerabilities quickly and cost-effectively,reducing warranty costs and recalls.But connectivity has also posed growing cybersecurity challenges for���� OEMs and their supply chainswith cyber attacks becoming more sophisticated,frequent,and
41、 severe.As the attack landscape changed over the last few years,and new attack methods emerged,the indust����ry became acutely aware that any point of connectivity can be attacked.The first decade of automotive cybe�����rsecurity was marked by a rise in cyber incidents and attacks against OEMs and the ecosys
42、tem,continuously introducing new attack vectors and methods,even as OEMs invested in improving cybersecurity protections.According to Upstreams research,between 2019-2023,incidents disclosed in the clear web(media)have increased by over 50%,reaching 295 reported incidents in 2023.I������n 2023 alone,95%of
43、 attacks were remote,and 64%of attacks were executed by black hat actors.3 Application programming interfaces(APIs)have been playing a key role in exposing vehicle functionality to drivers and enterprise applications,as w������ell as delivering a data-driven experience.As more functionality has been expos
44、ed through APIs,cybersecurity risks have also increased dramatically,while at the same time,the cost of attacking and attack thresholds have decreasedopenin�����g the door for exponential growth in the scale and impact of attacks.In this years report,we chose to zoom in on the impact of autom�����otive and mo
45、bility cybersecurity risks.10 2024 Upstream Security Ltd.All Rights ReservedWell focu������s on both external impact,which is visible to the ecosystem,and internal impact which refers to organizational efficiencies and processes.Both internal and external impacts are assessed by different stakeho��������lders in
46、different waysin this report well offer a framework which can be customized for each stakeholders strategic goals,target market,relevant mobility assets,etc.External impact can be objectively measured in�������� two dimensions:scale and cost.Well showcase how advanced connectivity and software-defined archi
47、tectures continuously introduce new������ cybersecurity risks,attracting executives attention across the entire ecosystem due to the potential impact on the safety of drivers,passengers and the integ��������rity of data at massive scale,leading to astounding financial losses.With social media becoming a major pla
48、tform for consumers and professionals,threat ac������tors are using social media to exchange knowledge with the potential to reach millions of people around the world in a matter of minutes.Based on its viral potential,social media has become one of the top distribution channels ������for malicious activities,b
49、oth criminal and fraudulent,and should be considered when analyzing external impact and scale.As vehicles continue to evolve well after they leave the manufacturing floor based on continuous over-the-air updates(OTAs),well also discuss the internal�������� impact of cybersecurity risks on internal processes
50、 and risk evaluations that drive automotive stakeholders to adopt new frameworks and remediation processes.11 2024 Upstream Security Ltd.All����� Rights ReservedMILLIONS OF VEHICLES1 VEHICLE11201520�����23Analyzing the potential scale of automotive cyber risksAutomotive cybersecurity threats have evolved rapi
51、dly in a very short span of time.In 2015,Charlie Miller spent three yearsfrom research to exploitto hack the safety-criti��������cal in-vehicle network of a single vehicle.4 In 2023,a team of securi���������ty researchers spent a mere few months hacking over a dozen different car makers.The team hacked telematic sys
52、tems,automotive APIs,and the infrastructure that supports them.They discovered numerous vulnerabilities that allowed them to remotely����� impact the command&control of vehicles and access sensitive OEM and consumer data.5In 2023,automotive cybersecurity witnessed a dramatic shift toward large-scale inci
53、dents.12 2024 Upstream Security Ltd.All Rights ReservedIts important to note that when analyzing scale,the focus is on potential impact.It is impossible to assess the exact impact of each incident based on publicly reported information.Upstream analyzed publicly disclosed au�����tomotive cybersecurity in
54、cidents between 2021 and 2023 according to the potential scale of impacted mobility assets�������,including vehicles,users,mobility devices and more.Upstreams analysis categorized incidents according to four levels of impactstarting from“Low”,which includes incidents that have the potential to impact under
55、 10 assets,up to“Massive”,which includes incidents that have the potential to impact millions of mobility assets.IN 20�������23 THE PROPORTION OF INCIDENTS WITH A“HIGH”OR“MASSIVE”IMPACT DRAMATICALLY DOUBLED TO NEARLY 50%Source:Upstream SecurityBreakdown of publicly disclosed cybersecurity incidents by pote
56、ntial scale,����2021-2023 2024 Upstream Security Ltd.All Rights ReservedNumber of Mobility Assets Potentially ImpactedMASSIVEMillionsHIGHThousands MEDIUMUp to 1,000 LOWUp to 1020235.4%4��������4.1%35.9%14.6%20211.2%19.6%36.7%42.5%20221.5%20.6%37.5%40.4%x2.5high and massive scale incidents13 2024 Upstream Securi
57、ty Ltd.All Rights ReservedDuring both 2021 and 2022,“High”or“Massive”(potential to impact thousands-million of mobility assets)incidents accounted for approximately 20%of total incidents.But,in 2023,the proportion of incidents with a“High”or“Massive”impact dramatically doubled to nearly 50%.Ove������rall,
58、the number of Medium scale attacks,which have the potential to impact up to 1,000 vehicles and mobility assets,has remained constant over the last three years.But the number of low-scale attacks has gone down dramatically in 2023 due to the emergence of new attack �����vectors that enable hackers to gain
59、 control over many more ve���hicles and assets with lower thresholds of knowledge and resources.To illustrate the operational disruption impact of cyber attacks on mobility service providers consider an attack which occurred in September 2023.A leading US-based trucking and fleet management solutions p
60、rovider experienced a ransomware attack that resulted in customers being unable to electronically log their on-road hoursas required by federal regulationsor track their transported����� inventory.6In������ response,the company hired external cybersecurity experts to investigate the attack and applied for a wa
61、iver from the US Fe����deral Motor Carrier Safety Administration to allow truckers to use paper logs until service�������� was restored.7 Almost three weeks passed before the company was able to resolve the issue,causing serious operational disruption for thousands of truck drivers,fleet operators,and inventory
62、 management teams.14 2024 Upstream Security Ltd.All Rights ReservedTHREAT ACTORS MOTIVATION HAS ALSO SHIFTED TOWARDS SCALE AND MASSIVE IMPACTIn addition to incidents disclosed in the media(clear web),its critical to assess the impact of d������eep and dark cyber activities and the incentives driving threa
63、t actors.Based on Upstreams analysis of deep and dark web automotive cybersecurity activities,analyzing the 300 most active th�������reat actors,nearly half of the activities(48%)were targeting more than one OEM or automotive supplier,and 37%had the potential to impac�����t mobility assets across many stakehold
64、ers on a global scale.In 2023,nearly 65%of deep and dark web cyber activities had the �������potential to impact thousands to millions of mobility assets.Breakdown of deep and dark web threat actor targets,2023Several OEMs/Stakeholders10.7%37.3%Global Breakdown of deep and dark web threat������ actor activities
65、by scale,20235.0%59.7%24.7%�����M������assiveHighMediumLow10.7%Source:Upstream SecuritySource:Upstream SecuritySingle OEMs/StakeholderSingle OEMs/Stakeholder15 2024 Upstream Security Ltd.All Rights ReservedWhen zooming in on black hat and fraud activities in the deep and dark web,the potential scale and areas
66、of interest also indicate a rapidly growing risk.Currently,67%of malicious activities(threat actors categorized as black hats and fraud operators)have a����“High”or“Massive”impact(compared to 45%across all actors)and 58%of activities involve multiple OEMs or have a global reach(compared to 48%across all
67、 threat actors).When analyzing the areas of interest,the impact of black hats and fraud operators continues to������ deepen.13%of activities are focused on vehicle manipulation tools,12%of activities are focused on gaining access to sensitive data and PII,and nearly 50%are related to vulnerability exploit
68、s.8Diagnostic Software19.3%Car Hacking Manuals6.7%Vehical Manipulation Tools12.6%PII11.9%49.5%Vulnerablilty ExploitsBla�����ck hat and fraud operators activities areas of interest,2023Black hat and fraud operators act�������ivities targets,2023Source:Upstream SecuritySource:Upstream Security10.4%48.141.5%Black
69、hat and fraud operators activities by potential scale,2023Several OEMs/StakeholdersGlobal Single OEMs/Stakeholder8.1%Massive59.3%High23.7%MediumLow8.9%16 2024 Upst�������ream Security Ltd.All Rights ReservedTHE RISING COST OF CYBER ATTACKS ON THE AUTOMOTIVE AND SMART MOBILITY ECOSYSTEM Automotive and Smart
70、 Mobility cyber attacks have severe financial repercussions leading������ to recalls or OTAs,production shutdowns,ransomware payments,and vehicle thefts.Additio����nal repercussions include data and privacy breaches,which can damage a brands reputation and customer trust and can eventually lead to large regul
71、atory fines and diminishing revenue.Given the shift toward large-scale cybersecurity incidentsw�������ith nearly 50%of incidents in 2023 impacting thousands-millions of mobility assets9its crucial for vehicle security operations center(vSOC)teams to analyze the financial impact of these incidents.In June 2
72、023,a leading Taiwan-based semiconductor manufacturer disclosed a cybersecuri�������ty incident involving a ransom�����ware group and one of its IT hardware suppliers,which led to the leakage of information pertinent to initial setup and configuration of the system.10 The attackers claimed to gain access to int
73、ernal documents with confidential information,demanding a$70 million ransom to decrypt the data and prevent its release onlinemaking it the largest known ransom demand in history.While the breach could affect multiple automotive stakeholders,the company reported th�����at neither its business operations
74、nor customer information were affected by the cyber incident at its supplier.The company also immediately terminated its data exchange with this supplier following the incident.In November 2023,����a large Australian automotive group with 12 dealerships and hundreds of employees was attacked by the same
75、 ransomware group�������,who stole more than 50 GB of sensitive customer and internal data.Over 91,000 files were stolen,including payroll information,lease agreements,payout information,service quotes,invoices,crash assistance forms,CRM data,registration paperwork,and employee driver and motor vehicle sal
76、es licenses.The stolen files were������ published at the end of November,after the ransom deadline had expired.11 IN JUNE 2023,A TIER-2 WAS HIT BY A$70 MILLION RANSOM DEMAND,THE LARGEST IN HISTORY.THE FINANCIAL PERSPECTIVE17 2024 Upstream Security Ltd.All Rights ReservedAnalyzing the financial impact of a
77、 cybersecurity incidentTrying to quantify the safety,privacy,and financial risks of automotive cybersecurity incidents is no small feat.The potential impact of automotive cyber threats is significant and can pose risks to the safety of drivers and passengers,disr�����upt business operations,compromise da
78、ta privacy,and result in financial losses for OEMs as well as the entire supply chain.In the next two illustrations we will analyze two incidents that occurred in 2023 and������� suggest a financial impact model,based on publicly available information.The goal of this framework is to highlight the massive
79、financial impact of cybersecurity risks.This analysis doesnt intend to be definitive,but rather a framework for estimating a range of potential financial risks.2024 Upstream Security Ltd.All Rights Reserved18 2024 Upstream ������Secu�������rity Ltd.All Rights ReservedKey Financial Implications of Automotive Cybe
80、r ThreatsVehicle Safety,Operations,&RecallRemote or local manipulations that can modify the normal behavior of a vehicle,endangering driver safety and leading to a recall.Cybersecurity vulnerabilities in a vehicles software components may require manufacturer�����s to issue recalls to update and resolve
81、the issues,ensuring the safety and proper operation of the affected vehicles.API exploitation;Remotely invoki�����ng commands;Malicious software update;Cybersecurity vulnerabilityData&Privacy BreachesDisclosure of information such as customer PII,vehicle performance data,or any Intell�����ectual property(IP)d
82、ata,compromising individuals or organizations.Data breach;Data leakage;Ransomware;Injection attacks Vehicle Theft&Break-InsUnauthorized entry or theft of a vehicle,ofte������n through the exploitation of vulnerabilities in the vehicles security systems or remote services.Keyless entry/st�����art engine attack;
83、Relay attack;Signal jamming attack;API attacks Service&Business DisruptionImpact on an organizations operations and ability to pro�����vide goods or services as a result of a cyber incident.This impact can range from partial system outages to complete shutdowns,leading to a loss of productivity,revenue,a
84、nd customer trust.Production line shutdown due to ransomware on production systemsLegal&Regulatory Compliance IssuesCyber threats that result in violations of laws,regulations,or industry standards.Lawsuits;PenaltiesFraudDeceptive a�����c����tions by an individual or entity,carried out with malicious intent
85、for personal or financial gain,such as identity theft,odometer tampering,and account hacking.Odometer tampering;Mobile companion app(user)identity theftBrand&Reputation DamageA negative impact on financial valuation(market cap),trust,and������� perception from publicly reported cyber incidents,resulting in
86、 a damaged reputation.Widespread negative press coverage erodes consumer and investor trustKey Financial Implications of Automotive Cyber ThreatsVehicle Safety,Operations,&RecallData&Privacy BreachesVehicle Theft&Break-InsService&Business DisruptionFraud Brand&Reputation DamageI�����mpactDescriptionMetho
87、ds19 2024 Upstream Security Ltd.All Ri����ghts Reserved#1 ILLUSTRATION#1Financial impact of an EV fleet-wide vulnerability In March 2023,a team of French security research������ers participating in a hacking contest demonstrated an exploit that involved executing what is known as a time-of-check-to-time-of-us
88、e(TOCTTOU)attac������k on an EV OEMs gateway energy management system that allowed them to remotely perform actions(e.g.,open the front trunk������ or door)while the car was in motion.12Despite the OEMs claims that this was not possible,the researchers claimed they could have remotely gained access to vehicle c
89、ontrols.The researchers were rewarded by the OEM with an EV and$100,000 in cash,and reported that the OEM is working on making softw�������are patches for the vulnerability and the updates should be pushed to cars soon.INCIDENT SEVERITY High THREAT ACTOR TYPE White hat INCIDENT IMPACT Potential fleet-wide
90、implications FLEET SIZE 3+million electric vehiclesImpact DescriptionBasel������ine Financial Impact$17,500,000-$49,750,000 Total Potential Financial ImpactVehicle Safety,Operations&RecallAurora Labs cost per OTA update per vehicle by type.13Estimations used to calc������ulate the OTA cost:5 large ECUs 500MB;10
91、 small ECUs 0.42MB.$0.39 for Line-of-Code Update$1,250,000-$2,000,000Vehicle Safety,Operations&RecallThe cost of battery replacement for vehicles with permanent battery damage.140.01%-0.05%of fleet impacted;$15,000 per vehi�����cle$5,250,000-$26,250,000Legal&Regulatory Compliance IssuesClass-action l�����awsu
92、it litigation and settlement costs for vehicles with temporary battery damage.150.5%-1%of fleet impact;$600 per plaintiff;$500,000 in legal fees$11,000,����000-$21,500,000Vehicle Safety,Operations,&RecallVehicle Safety,Operations,&Recall20 2024 Upstream Se�����curity Ltd.All Rights ReservedData&Privacy Breac
93、hIBM offers a detailed framework for cyber-based data breach cost estimations and a benchma�����rk for the average cost of a mega-breach(more than 1 million compromised records)by number of records lost.17The costs analysis includes direct and indirect costs associated with data breach detection,escalati
94、on,notification,post-breach response,and lost business.Average loss of$36,000,000 for data breache������s that involve 1 million-10 million records$30,000,000-$40,000,000#2Finan������cial impact of an EV charging network data breachIn June 2023,a security researcher discovered an online database containing mill
95、ions of logs(nearly a terabyte)of a global network of hundreds of thousands of electric vehicle charging stations.14The internal database,hosted on one of the most popular pub�������lic cloud platforms,required no password to access it and contained sensitive data of customers who used t�����he EV charging netw
96、ork.Data contained names,email addresses,phone numbers of fl�������eet customers,names of fleet operators with vehicles that recharge using the network,and vehicle identification numbers(VINs),a�������nd locations of EV public and private (e.g.,residential)charging points.Impact DescriptionBaselineFinancial Impac
97、t$31,000,000-$42,000,000 INCIDENT SEVERITYHigh THREAT ACTOR TYPEBlack hat BREACH TYPEUnintended disclosure BREACH SIZE 1TB of data with millions of records CHARGING NETWOR SCALE ESTIMATION Hundreds of th�����ousands of charging stations in 30+countriesLegal&Regulatory Compliance IssuesGDPR Enforcement Tr
98、acker Report average fines for transportation&energy sectors,and insufficient ���technical and organizational measures to ensure information security.18Expected range based on average fines in the transportation sector(864,776)and ins��������ufficient measures(1,346,050)$1,000,000-$2,000,000 ILLUSTRATION#2Tota
99、l����� Potential Financial ImpactData&Privacy Breaches21 2024 Upstream Security Ltd.All Rights ReservedOEMS TAKE A MULTIFACETED APPROACH TO PROTECTING CONNECTED AND SOFTWARE-DEFINED VEHICLES,AS WELL AS IOT/OT ASSETSIn this era of high-impact cyber risks,OEMs have had to adopt new internal frameworks,shif
100、ting to a multifaceted approach to protecting connected and software-defined vehicles.Connected vehicle digital experience and data-driven features are made possible by connected compone������nts,remote control,and the APIs that support them.Continuous OTA updates enable OEMs to roll out new features and
101、functionality,and patch bugs.The result is the emergence of the ���dynamic Software Bill of Materials(SBOM).As the SBO��������M continuously changes,it constantly requires risk and vulnerability analysis,directly impacting OEM and the supply chain cybersecurity frameworks and processes.The internal impact:the
102、dynamic SBOM The con������vergence of technologies known collectively as ACESAutonomous Driving,Connectivity,Electrification,and Shared Mobilityhas forced stakeholders to move from the traditional hardware-defined architecture to a software-oriented architecture.The Automotive and S�����mart Mobility ecosystem
103、 acknowledges that connected and software-defined vehicles are the key to competitiveness,customer experience,operational efficiencies and future data-driven revenue streams.New research released by the Wor�������ld Economic Forum in collaboration with Boston Consulting Group(BCG)estimates that the emergen
104、ce of SDVs will create over$650 billion in value for the auto������� industry by 2030,making up 15%to 20%of automotive value.OEM revenues from automotive software and electronics will grow nearly three-fold between now and 2030,from$87 billion to$248 billion,according to a BCG analysis of SDV growth.19Whil
105、e connectivity and SDVs present significant benefits,they also presents growing cybersecurity challenges for OEMs and the entire supply chain.The distinction between hardware and so������ftware product development has become blurred,as more in-vehicle components are enabled and manage�����d by software-oriente
106、d ar��������chitectures.The decoupling of the vehicle development process from a vehicles hardware and software integration creates a very complex and decentralized supply chain with the OEM at the center of system integration.OEM REVENUES FROM AUTOMOTIVE SOFTWARE AND ELECTRONICS WILL GROW NEARLY THREE-FOLD
107、 BETWEEN NOW AND 2030,FROM$87 BILLION TO$248 BILLION,ACCORDING TO A BCG ANALYSIS OF SDV GROWTH.22 2024 Upstream Security Ltd.All Rights ReservedThe Hardware Bill �������of Materials(HBOM)is a product development technical document that details the hardware components used to build a vehiclesuch as ECUs,TCU
108、s,infotainment systems,gauge clusters,CAN bus,and IoT controllerse����ach from different suppliers and supply chains with their own software and software supply chains.The SBOM is a dynamic software development technical document that details the software components,libraries,and dependencies that are i
109、nstalled on a ������hardware component and the vehicle.Together,the HBOM and SBOM provide a comprehensive view of the supply chains,facilitating transparency and trace�������ability to address hardware and software vulnerabilities.With frequent OTA updates,the SBOM is no longer staticbut rather constantly evolvi
110、ng long after a vehicle leaves the factoryand risk profiles continuously �������change,but they can be remediated in real time as well.Furthermore,modern SDV HBOMs and SBOMs go beyond in-vehicle components to include charging points and networks,as well as 3rd-party applications for smart mobility,OEM serv
111、ices,telematics devices,and electric vehicl�������e(EV)chargingadding even more complexity.Recent regulatory efforts,including UNECE WP.29 R15520 and R15621,ISO/SAE 2143422,the US National Highway Traffic Administration(NHTSA)guidelines23,and recent regulations in China24,have mandated SBOM adoption in the
112、 Automotive industry.These regulations broaden the scope of SBOM to encompass not only OEM-developed software,but als������o Tier-1 and Tier-2 components and librariesgiving OEMs the ability to identify and manage software-related vulnerabilities and risks.The ability to manipulate software components and
113、 exploit vuln������erabilities poses a significant threat to the cybersecurity posture of fleet-wide control systems.By exploiting SBOM-related vulnerabil������ities,attackers can gain unauthorized access to critical functions and control mechanisms across entire fleets of vehicles.Furthermore,the vast amounts
114、of data generated by software components,and stored in backend ������systems,presents an additional risk.Backend systems(e.g.,telematics servers)play a crucial role in delivering advanced connected vehicle functions and services,as well as collecting and m�������anaging huge amounts of sensitive data related to
115、�����vehicle state,location,usage patterns,and driver behavior.Attackers can tap into this data,which contains PII of millions of automotive users,without even needing to hack the actual vehicles themselves.The threat of cyber attacks on backend servers is particularly high be�����cause of the ability of mali
116、cious threat actors to impact entire fleets,both in terms of control and �����data access.23 2024 Upstream Security Ltd.All Rights ReservedThe growing reliance on these backend systems highlights th�������e urgent need for OEMs to safeguard both the software components and the sensitive data stored in their bac
117、kend systems.An ever-changing SBOM makes it extremely challenging to manage Threat Analysis and Risk Assessment(TARA)for modern vehicles.As a part of the organizations broad Risk Management efforts,TARA is a specific framework which has been developed as an in-depth y�������et static process.But,TARA is ra
118、pidly evolving into a dynamic framework.The impact of this mindset shift is dramatic,as stakeholders must adopt new tooling and platforms,and ensure tea�����ms are properly trained.The inter������nal impact expands with the need to add deep and dark web analysis into TARA frameworks.By integrating deep and dar
119、k web monitoring and real-time threat intelligence into the SBOM framework,OEMs can:Automotive threat i������ntelligence is now a key element in product-driven TARA,enabling proactive risk identification,prioritization,and mitigation.A dynamic TARA framework with real-time threat intelligence based on an
120、expanded SBOM framework is essential for OEM software development teams to enable long-term risk mitigation.Proactively identify and address vulnerabilities in software and hardware components.Continuously assess and manage supply chain risks to e������nsure integrity and security of components used in ve
121、hicles.Rapidly detect cybersecuri������ty risks and attacks,and provid�����e effective response and mitigation.24 2024 Upstream Security Ltd.All Rights ReservedOPERATIONVERIFICATIONSystemTestingIntegrationTestingRequirementsGatheringSystemsRequirementsComponentRequirementsSoftwareRequirementsSUMSCSMSSecurityCo
122、ntrolsVulnerability&T����hreat ManagementRisk&Incide������ntAcceptanceTestingUnitTestingVALIDATIONTARAContinuous cybersecurity orchestration:software-defined vehicles require end-to-end software,processes,and tools Source:Upstream SecurityFurthermore,the vSOC adds another important layer for effective TARA,in
1��������23、tegrating real-life detected risk�����s into the continuous TARA feedback loop.This requires adopting an interactive framework for both TARA,threat intelligence and vSOC analysts that will cooperate to ensure TARA is not only performed dynamically but also effectively.OEMs should also link SBOM vulnerabi
124、lities,based on the dynamic TARA analysis,to enterprise security,orchestration,automation,and response(SOAR)platforms to ensure cross-organizational visibility,timely remediation,and long-term risk mitigation via focused R&D effo�����rts.25 2024 Upstream Security Ltd.All Rights ReservedExternal APIs pose
125、 a prime attack������� v�������ector for massive-scale attacksAPIs are the engine that supports automotive digital transformation,and play a crucial role in securing connected vehicles.Cybersecurity risks increase as more apps are added to support connected vehicle experiences and enable data-driven features.Conn
126、ected vehicles and smart mobility services rely on diverse APIs,resulting in billions of transactions every month.Everything from OEM mobile companion apps,third party apps,infotainment systems,internal OEM an��������d Tier-1 management systems,dealership systems,after-market mobility IoT devices,to EV char
127、ging management and billing apps rely heavily on APIs to achieve core functionalities.APIs also present significant and fleet-wide attack vectors and are susceptible to a wide range of cyber attacks,such as the theft of������� sensitive o�������r personal identifiable information(PII),or malicious remote vehicle
128�����、control.In March 2023,a security researcher disclosed gaining access to a Japanese OEMs CRM database.The attacker modified the dev app to use the production API,which������� was unintentionally exposed through the loading spinner settings.This incident was a direct result of misconfigured APIs and a lack o
129、f proper authentication and verification.As a result,the researcher could access names,addresses,phone numbers,email addresses,tax IDs,and vehicle/service/ownership history of the OEMs customers.2526 2024 Upstr�������eam Security Ltd.All Rights ReservedFleetsOEMs ManufacturingFacilityMobile/TabletApp�������licati
130、ons Web ApplicationsERP/CRM/BillingChargingStationsInternalApplicat����ionsAPIsDataAPIsCloudServersStored DataSmart mobility vendors,fleet operators,and mobility IoT devices are also threatened by ��������API-based cyber risks that can result in large-scale operational disruption and sensitive data leakage.In J
131、une 2023,a popular ride-hailing service in Pakistan with over 10 million users was attacked when a third-party communication API was comprom����ised.This led to customers receiving abusive messages and notifications.26 Source:U��������pstream SecurityAPI attack surfaces 2024 Upstream Security Ltd.All Rights Res
132、erved27 2024 Upstream Security Ltd.All Rights ReservedSPOTLIGHTSocial Media Has Become A Breeding Ground For Automotive Cyber ActivitiesThanks to social media,auto enthusiast������s and hackers can now easily share their automotive hack�������ing discoveries with a global audience.The impact of social media on c
133、ybersecurity cannot be overstated.With its massive reach and influence,social media has become a breeding ground for������ cyber activities,often blurring the lines between pop culture and malicious intent.What was once hidden in the depths of the deep a����nd dark web is now easily exposed and accessible to
134、a wide audience.27 2024 Upstream Secu�����rity Ltd.All Rights Reserved28 2024 Upstream Security Ltd.All Rights ReservedIn recent years,Facebook,TikTok,YouTube,and Instagram have become popular platforms �����for sharing automotive hacking tools and manuals,jailbreaks,and hacking demos-moving discussions on ho
13������5、w to hack vehicles from the depths of the deep and dark web to the open internet.Some automotive hacking discoveries are created and shared by cybersecurity experts and white hat hackers with the intent to raise awareness and encourage addressing risks.Other automotive hacking ploys are created and
136、shared over social media with malicious intent.Regardless of initial intent,information shared on social media may encourage additional threat actors,offering easy access to tools and jailbreaks.The viral nature of social media����� amplifies the speed and reach of ex������ploits,leading to reputational damage
137、,financial losses,and operational �������disruption making it crucial for OEMs to stay vigilant and adopt robust cybersecurity strategies to mitigate the risks posed by this new frontier of cyber threats.A prime example of this is the so-called“TikTok Challenge”which went viral in October 2022,leading to t
138、he nationwide theft of tens of thousands of vehicles manufactured by one Korean OEM.A year earlier,Milwaukee,Wisconsin,saw a significant increase in car thefts,mainly from one Korean OEM,with many of the suspected thieves being too �����young to drive.On social media,videos emerg�����ed showing young people j
139、oyriding in these carsspeeding and swerving,sometimes hanging out of wind�����ows.The aim of these thieves wasnt to strip and sell parts from cars,but rather to gain social media clout and vie�������ws.27 As videos showing how to steal the vehicles spread,thefts of the Korean OEM spiked across the country the f
140、ollowing year.28 In January 2023,it was reported that two of Am�������ericas largest auto insurers refused to write policies in certain cities for the affected vehicles as they were found to be easy to steal.29In a February 2023 press release,NHTSA c����alled out TikTok by name,stating that“a TikTok social med
141、ia challenge has spread nationwide and has resulted in at least 14 reported crashes and eight fatalities,”30 and advised ����consumers that the Korean OEM offered a free dealer-installed anti-theft software update that attempted to reduce the������ risk in over 8.3 million US vehicles.31 In May 2023,the Korea
142、n OEM also agreed to pay up to$200 million to settle one class-action lawsuit,but it still faces lawsuits from insurers and cit�������ies,with more to follow,as thefts of the affected vehicles continue to rise.SPOTLIGHT28 2024 Upstream Security Ltd.All Rights Reserved29 2024 Upstream Security Ltd.All Right
143、s ReservedJailbreaking infotainment systems is also trending on social media.In September 2023,unauthorized firmware up������dates and custom software impacting various infotainment systems of EVs from multiple OEMs were offered for sale on Facebook by a high-profile automotive threat actor.The threat act
144、or has a large Facebook community with 44,000 followers,indicating significant exposure of the products sold,and is also highly active on other social media platforms,such as Youtube,where he publishes serv�����ices and tutorials on how to conduct unofficial USB firmware updates.In November 2023,a jailbr
145、eak that allowed unauthorized conten�����t to be installed within the head units of various OEMs was published on a popular Russian automotive socia����l networking site,describing all the steps required for implementing the jailbreak and adding unauthorized apps to the head unitincluding files for download.
146、As jailbreaks spread on social media platforms,the potential ne�������gative effects on vehicle cybersecurity posture,safety,consumer trust,and the Automotive industrys reputation increase.Jailbreak incidents can have multiple consequences:Jailbreaking infotainment head units can lead to stability and perf
147、ormance is�������sues resulting in system failures,or compatibility problems with other features.Unauthorized vehicle software modification can introduce cybersecurity vulnerabilities,opening the door to hacking,which could result in theft,data breaches,or unauthorized control of the vehicle.Unofficial fir
148、mware updates may erode the value of official firmware updates provided by affected OEMs,making it harder to encourage customers to adopt official,tested firmware updates.Mo������difying the vehicles firmware without authorization could void the warranty.SPOTLIGHT29 2024 Upstream Security Ltd.All Rights R
���������149、eserved30 2024 Upstream Security Ltd.All Rights ReservedPost on how to implement a head unit jailbreak on a popular Russian automotive social networking siteSource:Upstream SecuritySource:Upstream SecurityAdvanced vehicle hacking tools such as keyless repeaters,jammers,and OBD devices are also widel
150、y promoted on social media.In May 2023,a relay attack keyless repeater promising the ability to unlock and start vehicles manufactured between 2008-2023 from multiple OEMs was offered for sale on TikTok by a threat actor promoting a Polish automotive c����ybersecur������ity and hacking ecommerce website offer
151、ing a wide selection of vehicle-hacking tools.32 Relay attack keyless repeaters make it possible for malicious actors to gain unauthorized access to a vehicle and steal it ������without the physical key fob.Vehicle hacking tools are gaining widespread attent����ion on social media platforms,resulting in immed
152、iate and severe consequences to an already massive spike in keyless vehicle theft incidents,increasing public fear and posing greater challenges for law enforcement.Screenshot of the sellers TikTok page�������33Addressing the impact of cyber activities in social media requires a coordinated effort by the A
153、utomotive industry,regulators,and social media platforms to������� increase public awareness and ensure that automotive technology remains safe and secure.SPOTLIGHT30 2024 Upstream Security Ltd.All Rights Reserved31 2024 Upstream Security Ltd.All Rights ReservedTHE AUTOMOTIVE AND SMART MOBILITY ECOSYSTEM I
154、S ENTERING A NEW ERA OF GENERATIVE AI,DEMOCRATIZING ATTACKS BUT ALSO CYBER DEFENSE The era of Generative AI(GenAI)is well underway in the Automotive industry,as OEMs rush to adopt GenAI capabilities to enhance customer experience and unleash the next wave of p����roductivity.In 2023,a global OEM launche
155、d a ChatGPT-powered voice assistant to 900,000 beta testers using a p��������rivate and secure instance of Microsofts Azure OpenAI Service that does not share back data with OpenAI or �����the ChatGPT model.34The GenAI revolution will have a profound impact on both automotive cybersecurity stakeholders and threa
156、t actorsGenAI is expected to become a ����critical tool fo�����r threat actors,enabling them to effectively perform large-scale attacks and reduce barriers to entry.By utilizing Large Language Models(LLMs),threat actors can quickly identify vulnerabilities and learn how to exploit them,standardizing their ta
157、ctics,methods,and processes.APIs are specifically susceptible since attackers can use GenAI to explore API documentation,which may be publicly available,accidentally self-disclosed,������or leaked on the���� dark web.GenAI can be used to map endpoints,target APIs,and identify potential vulnerabilities,as well
158、 as provide step-������by-step guidance on exploiting those vulnerabilities.LLMs can also be used to generate malicious code or scripts by assimilating information from public vulnerability databases and cybersecurity research.32 2024 Upstream Security Ltd.All Rights ReservedThreat actors can use GenAI as
159、 a tool to carry out and automate complex phishing attacks,ge�������nerate convincing fake content(social engineering),and create malware that can adapt and evade detection systems.The adaptabi���lity and efficiency allow for the execution of large-scale attacks that may bypass traditional cybersecurity measu
160、res.LLMs trained on cybersecurity threat intelligence data can be used to escalate offensive strategies and execute sophisticated attacks with automated processes a������nd significant������ scale.By analyzing vulnerabilities and attack patterns,they can generate strains of malware that self-evolve,creating var
161、iations to attack a specific target with����� a unique technique,payload,and polymorphic code thats undetectable by existing security measures.For example,threat actors can use LLMs to automate the discovery of vulnerabilities,increasing efficiency and allowing them to shift resources to exploiting vulne
162、rabilities rather than identifying them.GenAI also allows attackers to rapidly sift through vast amounts of data,identifying the most vulnerable tar������gets.This approach not only speeds up the attack process but also increases its effectiveness,as AI models can pinpoint weaknesses that might be overloo
163、ked by human analysis.Additionally,GenAI can simulate various attack scenarios,helping attackers refine their strategies an��������d improve their tactics.By using GenAI to simulate attack environments,cybersecurity face�����s an additional challenge,as it leads to more unpredictable and sophisticated attacks,in
164、creasing the difficulty of detecting these at������tacks.According to research by Bain&Company,mentions of GenAI on the dark web proliferated in 2023,increasing by several orders of magnitude.35ACCORDING TO RESEARCH BY BAIN&COMPANY,MENTIONS OF GENAI ON THE DARK WEB PRO������LIFERATED IN 2023,INCREASING BY SEVER
165、AL ORDERS OF MAGNITUDE.33 2024 Upstream Security Ltd.All Rights ReservedAutomotive cybersecurity leaders must embrace GenAIs transformative capabilitiesOn the defensive,GenAI has the potential to transform automotive cybers�����ecurity solutions and operations,enabling a range of use casesfrom agile i��������nve
166、stigations,to automating vSOC workflows,and even generating complex insights based on deep and dark web data and in-depth TARA.GenAI introduce������s unparalleled efficiencies,enabling cybersecurity teams to quickly analyze massive amounts of connected vehicle and mobility data across multiple sources,det
167、ect patterns,filter incident alerts,and automate investigations.According t��������o a recent report by Gartner,by 2026,more than 80%of enterprises will be using generative AI APIs and models and/or will be deploying GenAI-en�����abled applications in production environments,up from less than 5%in 2023.36In 2023
168、,Upstream launched its own GenAI-enabled application(alpha release)that helps automotive stakehold������ers transform the vSOC through improved investigations,automation,data insights,and detailed analytics.With todays vSOC absorbing massive amounts of data from multiple sources,GenAI helps draw ins����ights
169、by querying the data with simple NLP questions.Upstreams GenAI-powered solution continuously monitors trends,providing context and analysis of impact.02AUTOMOTIVE CYBERSECURITY TRENDSAutomotive and Smart Mobility stakeholders face new challenges as cybersecurity attacks����������� grow in scale and impact35 20
170、24 Upstream Security Ltd.All Rights Reserved Researchers reported a critical CAN bus vulnerability that allowed proxi������mate a�����ttackers to steal Japanese OEM vehicles.45 Security researchers discovered critical vulnerabilities impacting a South Korean OEMs in-vehicle infotainment system.46MARCHINCIDENTS
171、2023 saw an increase in the scale and impact of cybersecurity attacks,creating new challenges for the automotive and smart mob�����ility industries.During 2023,Upstreams AutoThreat researchers analyzed 295 automotive and smart mobility cybersecurity incidentsan average of 25 i�����ncidents per month.The top i
172、ncidents in 2023:Researchers discovered critical vulnerabilities that allowed them to remotel�����y control vehicles of major global OEMs and access sensitive consumer PII.37A head unit installed in several South Korean OEM vehicles was compromised.38 Japanese OEM affected������� by data breach in its Global Su
173、pplier Preparation Information System.39 Global OEMs released an emergency patch for an actively exploited vulnerability that triggered a sharp rise in car theft incidents.40 New destructive car theft methods using a CAN bus��� manipulation reported to be on the rise.41FEBRUARYJANUARY APRIL US OEM vehi
174、cles hacked within two minutes b��������y researchers participating in a hacking contest.42 Japanese OEMs Customer Relationship Management(CRM)system was hacked by a security researcher.43 German,South Korean,and Japanese OEMs were targeted as part of a supply chain attack on a VoIP software vendor.44MAY At
175、tack against a Japanese OEM exposed 10 years of customer data,including vehicle geolocation,in a data breach.47 Swiss multinational automotive supplier hit by large-scale ransomware attack impacting business operations.48 German automotive service provider hit by cyber attack,impac�������ting accessibility
176、 to several systems.49JUNE A security researcher discovered multiple vulnerabilities in a popular network messaging protocol that enabled fleet-wide mani������pulation of telemetry data.50 South Korean OEMs infotainment unit hacked despite security fixes.51 A US EV charging station network suffered a majo
177、r data breach that exposed sensitive company data and customer PII.52 2024 Upstream Security Ltd.All Rights Reserved36 2024 Upstream Security Ltd.All Rights Reserved A large US moving and storage rental company experienced a cyber attack,resulting in alleged leakage of 13GB of employee and o��������peration
178、al data.62 Brazilian dealershi���������p of a German OEM was hit with a ransomware attack.63SEPTEMBER US EV charging companys chargers hacked to display unauthorized content and images.53 Ransomware attacks disrupted Japanese port operations,impacting the availability of major Japanese OEM auto parts.54 API
179、vulnerabilities in a German OEMs website enabled malicious ����data exfiltration.55 Security researchers jailbreaked the infotainment system of a US-based EV OEM.56 Security researchers discovered vulnerabilities in a popular mobility provider,enabling account hija��������cking and illegal financial transaction
180、s.57 US EV OEM suffered data bre����ach impacting over 75,000 employees.58AUGUSTJULYOCTOBER US trucking and fleet management solutions provider experienced a ransomware attack that resulted in customers being unable to electronically log their on-road hours or track their transported inve�������ntory.59 Mass t
181、ransit company in Germany affected by cyber attack on service provider.60 One of the UKs largest logistics groups declared insolvency following ransomware attack.61NOVEMBE������R A major US auto parts distributor suffered a data breach affecting over 180,0���00 employees and clients.64 Major Chinese automoti
182、ve supplier for global OEMs impacted by ransomware attack.65 A US state transportation department impacted by a cyberattack,resulting in significant disruptions to its �����services.66DECEMBER Researchers discovered a critical vulnerability in fleet management software affecting multiple vehicle fleets.6
183、7 Japanese OEM impacted by a cyberattack in Au�����stralia and New Zealand,leading to a data breach posing risk to customer PII.6837 2024 Upstream Security Ltd.All Rights ReservedWhite HatIn contrast,white hat hackers,often researchers without malicious intent,who try to penetrate and manipulate systems
184、to validate security or assess vulnerabilities.White hat hackers constantly find new and disturbing vulnerabilities.They ������operate independently,through companies leveraging their services,or as part of a bug bounty program,where they are rewarded for responsibly disclosing the vulnerabilities.Bla���ck H
185、atBlack hat hackers attack systems for personal gain,financial gain,or for malicious purposes.Todays black hat hackers are no longer lone malware developers.They are part of well-organized and well-res������ourced operations,������which employ thousands of cybercriminals worldwide,capable of coordinated simulta
186、neous attacks against mu�����ltiple companies.Most attacks in 2023 64%of incident����s were carried out by black hat actors WHITE HATBLACK HAT64%BLACK HAT36%WHITE HATMOST ATTACKS IN 2023 WERE CARRIED OUT BY BLACK HAT ACTORSAs technologies and cybersecurity measures advance,hackers have also evolved,and stake
187、holders must gain deep visibility into who is carrying out attacks.Hackers are classified as black hats,white hats,or gray������������� hats depending on their intentions,actions,and malicious intent:Gray HatGray hat hackers are a subset of the general white hat attackers group,and present a dynamic landscape in
188、 which the lines blur between ethical and malicious activities.These hackers contribute both to discovering vulnerabilities and,in some cases,exploiting them.Gray hat hackers exhibit a spectrum of motivations,running from responsible disclos����ure to less altruistic mot������ives such as financial reward or
189、recognition.Also,their activities often raise ethical and legal questions regarding their work without explicit authorization.Source:Upst�������ream Security38 2024 Upstream Security Ltd.All Rights ReservedThere is a major difference between automotive black hat attacks and IT black hat ��������attacks,regarding t
190、he consequences and impact of their actions.Automotive black hat attackswhich are closely aligned with cyber attacks on critical OT infrastructure,such as health,energy,and������� governmental facilitiesresult in not only disruption of������ services and financial losses,but also potential for safety hazards and
191、 loss of lives.In September 2023,a leading US-based trucking and fleet management solutions provider experienced a ransomware attack that resulted in custom������ers being unable to electronically log their on-road hoursas required by federal regulationsor track their transported inventory.69 In response,
192、the company hired external cybersecurity experts to investiga�����te and applied for a waiver from the US Federal Motor Carrier Safety Administration to allow truckers to use paper logs until service was restored.70In June 2023,a Korean OEMs in-vehicle infotainment system was hacked after it issued a sec
193、urity upd��������ate.71 In a previous attack,the same hacker gained root access to the Linux-based system via the engineering menu and firmware im�����age manipulationenabling him to run custom applications.The OEM responded by releasing a new firmware image and removing the old firmware images.The OEM engineers
194、 also used a private key to sign firmware images,but didnt ensure the updater always verified t������he signature,which allowed the attacker to gain root access and install unsigned codeagain.72In December 2023,researchers reported that a fleet management software vendor ignored a dangerous telematics gat
195、eway vulnerability that had been reported in April ��������2023.This vulnerability poses a significant risk,since hackers may be able to target the backend infrastructure to manipulate and shut down entire fleetsimpacting tens of thousands of vehicles������.It is unclear to what extent these gateways were used,bu
196、t the vendor is tracking over 119,000 vehicles in over 49 countries.There have been no known exploits of the vulnerability.73In response to OEMs growing use of ������in-vehicle subscrip�������tions for connected services and software-enabled features,gray hat hackers are constantly looking for ways to bypass sec
197、urity measures to install their own applications or gain free access to paid services.Moreover,the vulnerabilities they expose,and often discuss in forums on the deep and dark we������b,can be exploited by black hat actors.39 2024 Upstream Security Ltd.All Rights ReservedThe vast majority of remote incide
198、nts in 2023 were long-rangelong-rangeshort-rangeNEARLY ALL ATTACKS����� CONTINUE TO BE EXECUTED REMOTELYMost automo�����tive cyber attacks can be divided into two main categories:remote attackswhich can be short-range(e.g.,man-in-the middle attack)or long-range(e.g.,API-based attack)and physical attacks,which
199、 require a physical connection to the vehicle(e.g.,OBD port).������Remote attacks rely on network connectivity(e.g.,Wi-Fi,Bluetooth,3/4/5G networks),and have the potential to im����pact numerous vehicles simultaneously.Remote attacks have consistently outnumbered physical attacks since 2010,and they continue
200、to growaccounting for 89%of all attacks betwee�������n 2010 and 2023,and 95%in 2023.The vast majority of remote attacks in 2023 were l������ong-range attacks(85%).The percentage of long-range attacks has increased,rising from 70%in 2022,as a result of the adoption of connectivity and software-defined architectur
201、es.Nearly all 2023 incidents �����were remoteSource:Upstream Security95%85%5%15%remotephysical40 2024 Upstream Security Ltd.All Rights ReservedATTACKS ARE BECOMING MORE IMPACTFULThe Automotive and Smart Mobility ecosystem is increasingly impacted by cyber attacks.Attacks on vehicles often compromise sens
202、itive data,but can also have������ far-reaching consequences,including safety hazards,business disruption,vehicle theft,system manipulation,and fraud.Operational service and business disruption is continuously on the rise,accounting for 42%of incidents,up from 40%in 2022.We have also witnessed a dramatic
203、increase in fraud-related incidents,accounting for 20%of 2023 incidents and up from 4%in 2022.Service/Business disruptionDisruption to normal business operations,such as delays or halts in �������production,caused by a cyber attack(e.g.OEM or Tier-1 supplier ransomware attack,operational fleet disruption c
204、aused by a cyber attack on systems or devices).Data/Privacy breachA data breach occurs when a threat actor gains una�����uthorized access to proprietary,confidential data,such as intellectual property(IP),trade ����secrets,financial information,or personally identifiable information(PII).Cybersecurity incide
205、nts involving data breaches are the most common and most expensive.FraudIllegal use of vehicle data and/or vehicle consumer data by threat actors for financial gain.Vehicle theftVehicle thefts involving long-range����,short-range,an������d physical attacks by threat actors.Car system manipulationThreat actor
206、activities targeted at tampering with various in-vehicle systems,changing thei������r expected operational behavior and potentially creating safety risks.Policy violationThreat actors actions that violate established rules,regulations,or policies regarding the use,operat������ion,or management of vehicles.Locat
207、ion trackingIllegal use of GPS navigation data to track a vehicles location and movement without user or owner consent.Control of vehicle systemsThreat actors can take full or partial control of a vehicle from long distances by o���������verriding its systems throug�����h connected components.41 2024 Upstream Sec
208、urity Ltd.All Rights Reserved 2023 impact breakdown,based on 295 automotive-related cyber incidentsSource:Upstream SecurityControl vehicle systems 2%Service/Business disruption42%�������Data/Privacy breach22%Fraud20%Vehicle theft 5%Car systems manipulation3%Policy violation 3%Location tracking3%42 2024 Ups
209、tream Security Ltd.All Rights ReservedCVES MUST BE CLOSELY MONITORED The Comm������on Vuln��������erability Scoring System(CVSS)was designed to provide an open and standardized method for rating CVEs.CVSS helps organizations prioritize and coordinate joint responses based on the vulnerabilitys base,temporal,and e
210、nvironmental properties.74 Vulnerabilities are also graded from Critical,High,Medium to Low,or None,based on their CVSS score.75In our analysis of CVEs,we focus only on CVEs that directly affect the Automotive and Smart Mobility ecosystem(OEMs,Tiers-1s,share�������d mobility,mobility IoT devices,fleets,etc
211、.).We exclude from this analysis CVEs that relate to generic IT hardware or open-source software components that may be used across the supply chain.The Automotive industry has recorded 725 specific CVEs sinc������e 2019;378 CVEs were published in 2023,compared with 151 in 2022.The 150%increase in CVEs in
212、 2023 can be attributed to the continued proliferation of connected components and the growing awareness of stakeholders to proactively identify vulnerabilities.Security teams,developers,and researchers use CVSS together with several other methods to assess risks.CVSS scores �������have practical applicati
213、ons across the products supply chain,such as determining whether vulnerabilities have alrea�������dy been exploited and prioritizing patching efforts,and allocating time and resources more efficiently.CVSS is also used by ISO/SAE 21434 as part of the standards risk assessment process to determine attack fe
214、asibility.C�������VEs should also be closely monitored by fleet managers and operators.In addition to affecting risk assessments across the fleet,CVEs can also be considered when strategically designing the fleet composition.Number of automotive-related CVEs found in 2019-2023Source:Upstream Security201924
215、202033202202337843 2024 Upstream Security Ltd.All Rights ReservedOVERVIEW OF 2023 CVESCVEs are acknowledged and cata�������loged cybersecurity risks that can be quickly referenced across the Automotive and Smart Mobility ecosystem.It is common to find these threats on OEM products,but they can a
216、lso appear in the products of OEM supply chai������n companies.����OEMs assemble vehicles from hundreds of software and hardware modules produced by Tier-1 and Tier-2 suppliers.Each components quality and safety rests with the company that produces it.Consequently,each company involved in the supply chain has
217、 the responsibility to oversee and ensure the quality and safety of each automotive-related product.Because vulnerabilities are not always addressed on time,or ev�������en at all,a single flaw in a commonly used software module or component can impact millions of vehicles.Although CVEs disclose critical vu
218、lnerabilities,they can also be exploited by hackers.Breakdown of publicly reported automotive-related vulnerabilities(between 2019-2023)CVEs74Source:Upstream Security������OEM-Vehicle manufacturerTier-1-Components supplierTier-2-Software and hardware providers(including chipsets for the Automotive industr
219、y,mobility management systems and aftermarket devices)124527 2024 Upstream Security Ltd.All Rights Reserved44CRITICAL VULNERA�������BILITIES34HIGH VULNERABILITIES266MEDIUM VULNERABILITIES66LOW VULNE�����RABILITIES12IN 2023,THE CVSS-SCORED VULNERABILITIES ANALYZED BY UPSTREAMS ANALYSTS HAD:Together with the shar
220、p increase in automotive-related CVEs in 2023,we also witnessed a rise in severity.In 2023,critical and high vulnerabilities accounted for nearly 80%of total CVES,up from 71%in 2022.This trend amplifies the importance of closely monitoring automot�����ive-specific CVEs by all stakeholders and������� proactively
221、 detecting explo�����its,as well as prioritizing mitigation.Source:Upstream Security 2024 Upstream Security Ltd.All Rights Reserved45OEMs Tier-1s Tier-2s Electric Vehicles EV Charging Infrastructure/Local Grids Autonomous Vehicles Agriculture Equipment Mobility IoT TSP/Fleet Management Car Dealerships Ca
222、r,Commercial,and Delivery Fleets Public Transportation Government Fleets/Emergency Services Car and Bi������ke Sharing Car Rental Ride Sharing and Hailing Smart Cities ������Insurance Source:Upstream SecurityTHE IMPACT IS FELT ACROSS THE SMART MOBILITY ECOSYSTEM A growing number of sectors that have expanded th
223、eir digital footprints,such as EV charging,fleet management,and mobility sharing applications,face not only ransomware attacks but also attacks targeting infrastructure and public safety.Cyber attacks threaten every������� segment of ������the Automotive,Smart Mobility,and Mobility-as-a-Service(MaaS)ecosystem.45
224、 2024 Upstream Security Ltd.All Rights Reserved46 2024 Upstream Securit������y Ltd.All Rights ReservedOEMS AND SUPPLIERS SHARE RESPONSIBILITY Besides costly recalls,brand damage,and loss of data,cyber attacks against OEMs and their component suppliers have led to production shutdowns.In June 2023,a US-b����as
225、ed Tier-1 supplier of high-performance alloys for the Automotive industry began experiencing a network outage indicative of a cybersecurity incident.76 For the next 11 days,many aspects of the companys production were substantially disruptedincluding administrative,sales,financia����l,and customer servi
226、ce functions.The company reported that the lost production time impacted net revenues by roughly$18-20 million,and diluted earnings per sha�������re by approximately$0.40-$0.45.77As OEMs rely heavily on suppliers,the risk of cyber attacks is compounded.A hacker can exploit a vulnerability in a Tier-1 or 2
227、component supplier to gain direct access to the vehicle itself.In August 2023,a Dutch Tier-1 supplier of electromagnets was hit by a ransomware attack in which the ransom�����ware group gained unauthorized access to the companys business systems,disrupting its development and sales departments.The ransom
228、ware group is known for deploying models such as double-extortion,initial access broker affiliates,and advertising on hacker forums.In response,the company hired leading third-party cybersecuri�������ty experts and activated its response protocol,including its business continuity plan.78The EV charging eco
229、system is rapidly expanding Concerns over grid cybersecurity and charging infrastructure increase as the number of EVs grows.The fast adoption of EVs has resulted in the relatively rapid development and deployment of charging infrastructureoften overlooking������ cybersecurity best practices��� and vulnerabi
230、lities.Chargers are vulnerable to physical and remote manipulation that can manipulate their functionality,and expose EV������� users to fraud,data breaches,and even ran������som attacks.There are also emerging threats associated with various charging attack vectors,including vehicle-to-charging network,grid-to-
231、vehicle,and grid-to-fleet.In January 2023,a se������curity researcher exploited a popular screen sharing program to gain access to the un�������derlying Operating System(OS)of a new 350-kW charger from a US EV charging company.The researcher could access the OS menu,open the web browser,and navigate to a competi
232、tors website 47 2024 Upstream Security Ltd.All Rights Reservedwhile the charger app remained running in the background.79 An earlier incident occurred in which another hacker gained a��������ccess to the chargers critical settings and could view functions such as overheat protection.80In July 2023,security
233、researchers published a detailed report highlighting three critical vulnerabilities found in the API interfaces of a Cha�������rging Station Management System(CSMS)of a Switzerland-based provider,allowing adversaries to access files uploaded by other users,bypass the required provisioning PIN c��������ode(authenti
234、cation),and hijack a chargers OCPP connection.81 The researchers demonstrated attack vectors that expose drivers data and impact service availability of the vendors provisioning process,management,and operat�������ions of charging stations.82In May 2023,security����� researchers reported a vulnerability,known a
235、s CVE-2023-29857,83 in a popular 3rd-party application used by owners of US EV OEM.The vulnerability allows attackers to obtain sensitive information via directly accessing the application link.84Commercial fleetsAs commercial fleet operatorssuch as car rental,logisti�����cs,and delivery compa�������niesincreas
236、ingly rely on connectivity and software for vehicle management,their cybersecurity risks multiply.In September 2023,a leading US-based trucking and fleet management solutions provider e���������xperienced a ransomware attack that resulted in customers being unable to electronically log their on-road hoursas
237、required by federal r�����egulationsor track th������eir transported inventory.85 In response,the company hired external cybersecurity experts to investigate and applied for a waiver from the US Federal Motor Carrier Safety Administration to allow truckers to use paper logs until service was restored.86Smart m
238、obility IoT devices&servicesAs smart mobility IoT devices and services continue to grow in popularity a����nd use,they represent high-risk targets within the Smart Mobility ecosystem.T������hese services and devices hold sensitive PII and payment data from thousands of unique users.In July 2023,a cyberattack
239、targeted the servers o�������f a Polish citys Transport Authority,halting smart transportation systems.The attack impacted the citys public transportation ticketing system,traffic lights management,and electronic����� information boards at public transportation stopscausing city-wide traffic jams.8748 2024 Upst
240、ream Security Ltd.All R�������ights ReservedInsuranceInsurance companies are realizing that the cyber-threat landscape directly impacts premiums on connected vehicles.Insurers can leverage connected vehicle data to determine which locations,vehicle types,and components are usually more prone to cyber attac
241、ks,and calculate insurance premiums accordingly.New behavior-based insurance models������ leverage aftermarket devices to share telematics with insurers to reduce premiums and insurance costs.However,threat actors can exploit vulnerabilities in these devices and manipulate data or communications to hack i
242、nsurance companies IT networks.Insurers and their telematics suppliers must work together to ensure that their telematics infrastructure is secure.Autonomous veh�������iclesAutonomous vehicle(AV)innovations are introduced at a rapid pace by many stakeholders,including OEMs,smart mobility and ride-sharing s
243、ervices providers,and large technology enterprises.Other manufacturers are �����not far behind.Autonomous fleets are gaining momentum,delivering unprecedented efficiencies and customer experiencesbut not without safety concerns and public distrust.In October 2023,California ordered a US OEMs AV to remove
244、 its driverless cars from state ��������roads,after a pedestrian in San Francisco was struck by a human-driven vehicle and then run over by a robotaxi.88 In November 2023,the same OEM recalled its entire US fleet of 950 driverless cars,but is currently planning a slow r��������eturn to service as it works to overco
245、me safety concerns and a lack of public trust.89 Despite this,other������� AV companies are forging ahead with their ow����n deployments and trials,acknowledging the above problems as the result of scaling too quickly before the technology was ready.90 49 2024 Upstream Security Ltd.All Rights ReservedOn the te
246、chnical side,new sensor types,software and hardware functionalities,services,and ������communication types expose potential vulnerabilities,increasing the likelihood of a future attack.Autonomous vehicles are equipped with and rely upon navigator sensors(e.g.,GPS,LIDAR,cameras,millimeter wave radar,IMU)th
247、at receive data and directions from multiple sources,inc������luding the internet and satellites.It is therefore possible for attackers to prevent the sensor from retrieving useful data,cause it to retrieve incorrect data,or manipulate �����the sensors function through crafted data.97In July 2023,Waymos co-CEO
248、s announced that given the tremendous momentum and substantial commercial opportunity theyre seeing on the ride-hailing front,theyve made the decision to focu�����s efforts and investm������ent in ride-hailingpushing back the timeline on technical,commercial,and operational efforts on trucking.91In August 2023
249、,Axios reported on several autonomous truckin�����g companies that conducting testing in the Dallas-Fort Worth areaincluding Aurora,Gatik,Torc Robotics,and Kodiak Roboticswhich expect to deploy driverless trucks in the next couple years.92In October 2023,Waymo announced a partnership with Uber to offer a
250、 fully autonomous,all-electric Waymo ride in the 225+square ����miles of Metro Phoenix where Waymo currently operates.93In November 2023,May Mobility,which is backed by Toyota and BMW,announced a new funding round of$105 million to expand its on-demand driverless �������transit shuttles in a handful of cities
251、in Arizona,Michigan,Minnesota,and Texas.94In November 2023,Motional,an AV developer,and Hyundai announced plans to jointly build IONIQ 5 robotaxis in Singapore for deploy�����ment in Las Vegas and other US cities in 2024.95In December 2023,Japan decided to assign an exclusive bandwidth for Level 4 self-d
252、riving vehicles.9������6This was demonstrated by the many announcements made in 2023:50 2024 Upstream Security Ltd.All Rights ReservedThe impact of Right to Repair on agriculture vehiclesConflicts over the US Right to Repair of agricultural vehicles continued to make big headlines in 2023.Agriculture vehi
253、cle owners,in part��������icular,have turned to tractor hacking to bypass restrictions put in place by equipment manufacturers to prevent them from doing their own repairs,and to avoid digital lockouts on modern����� rigs.Some farmers are circumventing OEM restrictions by installing pirated firmware,which may le
254、ave them exposed to malware,spyware,or ransomware.Additionally,farmers looking to self-repair their equipment without turning to authorized dealers may turn to online forums where they discuss software bugs,how to man�����ipulate their vehicle system�����s,and swap code and data.Using unauthorized software an
255、d hacking equipment for self-repair can result in unintended installation of malware,spyware,ransomware and invalidate manufacturer warranties.In response to the right to repair movement,s������everal bills have been introduced across the US.It is their goal to require equipment manufacturers to provide s
256、oftware,codes,and tools to farmers and independent technicians so they can repair equipment themselves.In April 2023,Col������orado became the first state to pass a right to repair law for farmerswhich will go into effect at the start of 2024.98In June 2023,the American Farm Bureau Federation signed a mem
257、o���������randum of understanding(MOU)with CLAAS of America,providing even more farmers and ranchers with the right to repair their own farm equipment.99 In 2023,AFBF entered into similar MOUs with John Deere,CNH Industrial Brands(which includes Case IH and New Holland),AGCO,and Kubota.In total,the five MOUs
258、 cover almost three-quarters of the agricultural machinery sold in the US.In November 2023,a US judge reject�������ed Deeres efforts to dismiss consolidated lawsuits and said Deere must face claims from crop farms and farmers that the agricultural machinery maker has unlawfully conspired to restrict servic
259、es for maintenance and repair.10051 2024 Upstream Security Ltd.All Rights Re������servedRegulators worldwide are shifting focus to the growing cyber risks caused by the Right to Repair Act before they reach a“tipping point”.In June 2023,NHTSA notified dozens of OEMs about safety concerns arising from the
260、Massachusetts Right t�������o Repair Act.101 The NHTSA reiterated that manufacturers must comply with all federal safety requirements.These recent developments and clear indications by NHTSA serve as important gu������idelines for OEMs and provide a path for future resolution of this conflict.032023S DIVERSE ATT
261、ACK VECTORSSmart Mobility and Automotive stakeholders must be aware of emerging threats and the impact they post of cyber����� resilience 2024 Upstream Security Ltd.All Rights Reserved53INCREASINGLY SOPHISTICATED ATTACKS OPEN THE DOOR FOR LARGE-SCALE IMPACT ACROSS THE ENTIRE E�����COSYSTEMIn 2023,cyber attack
262、s became more sophisticated and frequent,tar������geting various vehicle systems and components,as well as smart mobility platforms,IoT devices and applications.New attack methods have made the industry acutely aware that any point of connectivity is vulnerable to attacks.The attack landscape has driven t
263、he continued proliferation of the two new attack vectors that emerged back in 2022,which are the core of the smart mobility ecosystem:APIs for mobility applications and services,and EV char���������ging infrastructure,which is expected to replace ICE fueling infrastructure in the next decade.As a reminder,AP
264、I-based attacks showed a dramatic increase in 2022,accounting for 12%of total incidents and demonstrating a �������staggering 380%growth.Moving forward we expect API-based attacks to gradually expand as various threat actors will leverage API vulnerabilities for large-scale attacks.Indeed,in 2023 APIs acco
265、unted for 13%of total incidents.In 2023,the Automotive and Smart Mobility ecosystem experienced a sharp increase in incidents targeting backend servers(telematics,applications,etc.)as well as infotain�������ment systems.Server-related incidents grew from 35%in 2022 to 43%in 2023;infotainment-related inci�����de
266、nts nearly doubled,increasing from 8%in 2022 to 15%in 2023.This trend is directly related to the growing awareness and visibility into connected components(servers,infotainment systems).It is also a result of the established maturity of the au������tomotive cybersecurity la����ndscape and the attempt of threa
267、t actors to gain access to sensitive data and potentially vehicle control across a large scale of mobility assets.2024 Upstream Security Ltd.All����� Rights Reserved5435%14%6%4%3%Telematics and application servers Infotainment system API ECUs(including TCU,GW,etc.)Remote keyless entry systemEV charging D
268、atabase GPS/GNSS navigation systemMobile applications Bluetooth CAN bus 43%15%�����13%9%7%4%3%2%2%1%1%Source:Upstream SecurityIncidents by attack vector 2024 Upstream Security Ltd.All Rights Reserved55A serie������s of vulnerabilities,collectively known as CVE-2023-3028,103 were identified:MQTT backend does no
269、t require authentication,allowing unauthorized connections from an attacker.Vehicles publish their telemetry data(e.g.,GPS location,speed,odometer,fuel,etc.)as messages in������� public������ topics.The backend also sends commands to the vehicles as MQTT posts in public topics.As a result,an attacker can access
270、the confidential data of the enti�������re fleet.MQTT messages sen�������t by the vehicles or the backend are not encrypted or authenticated.An attacker can create and post messages to impersonate a vehicle or the backend.The attacker could then,for example,send incorrect information to the backend about the vehi
271、cles location.Backend servers can inject data into a vehicles CAN bus by sending a specific MQTT message on a public topic.Because th������ese messages are not authenticated or encrypted,an attacker could impersonate the backend,create a fak�����e message,and inject CAN data into any vehicle managed by the bac
272、k�������end.TELEMATICS AND APPLICATION SERVERSThroughout a vehicles life,connected vehicles collect,transmit,and receive information from OEM backend servers and vehicle owners.This is accomplished by using two types of servers:telematics servers,which communicate with the vehicle,and appli�����cation servers,w
273、hich communicate with the vehicles companion applications.Additionally,some vehicles have backend servers that communicate with third parties,such as insurance companies,fleets,car rental and leasing companies,EV charging networks,and more.By exploiting vulnerab�������ilities in backend servers,a black hat
274、 actor could attack vehicles while they are on the road.In June 2023,a security researcher from the Automotive Security Research Group(ASRG)discovered multiple vulnerabilities in MQTT,a widely ad����opted network messaging protocol used in connected vehicles,that allows an attacker to access and even ma
275、nipulate the telemetry data of the entire fleet of vehicles using a popular telematics unit.102 2024 Upstream Security Ltd.All Rights Reserved56REMOTE KEYLESS E��������NTRY SYSTEMSModern �������vehicles are protected against theft by using remote keyless entry systems that include smart key fobs with very strong c
276、ryptography and immobilizers.But remote keyless ent������ry systems may accomplish the opposite,as vehicle theft and vehicle break-ins continue to increase.Wireless key fob manipulation is used by black hat actors to carry out their attacks freely.Publicly available hacking tutorials and devices sold onli
277、ne without registration have made these attacks popular.Whenever a wireless key fobwhich is equipped with a short-range radio transmitteris within close proximity to the vehicle,it transmits a coded radio signal to the re�����������ceiver unit.Communication between the fob and vehicle can be manipulated using
278、devices that can intercept and relay,replay,or jam the radio signal all together.2024 Upstream Security Ltd.All Rights Re������served570405030201It is also possible for car thieves to break into vehicles using a signal jammer that blocks the communication between the key fob and the vehicle.This device pr
279、events the owner from locking the������ vehicle,allowing����� thieves open access.Jamming communication between a key fob and a vehicleA new attack method favored by hackers is CAN injection,extensively used by criminals to steal vehicles.It is possible for attackers to bypass the entire remote keyless entry s
280、ystem with a CAN injector device that connects to the CAN wires and impersonates the wireless key fob ECU.Impersonating the wireless key fob ECU with CAN injectionThe co�������mmunication between the key fob mechanism and the vehicle can be attacked in a few different ways:A more sophisticated and expensiv
281、e device can be used to reprogram the key fob s�������ystem,rendering the original key useless.The reprogramming devicewhich connects to the OBD port,making it relatively easy for car thieves to gain full control over vehiclescan be legally obtained����� online and is used by authorized mechanics and service ce
282、nters.Rep�������rogramming key fobsIn another type of relay attack,hackers intercept messages sent between the key fob and the vehicle and store them for later use.After obtaining the relevant message,the hacker can unlock the cars doors or start its engine whenever they want.Replay attacks using a stored
283、signalIn relay attacks,hackers intercept the normal communication between the����� key f��������ob and the vehicleeven when the key fobs signal is out of range.Hackers can amplify the radio signal using a transmitter or repeater that is placed near the car,which amplifies and relays a message to unlock and start
284、 the vehicles engine.Thieves increasingly use this type of attack to intercept the signal from a key fob located inside a vehicle owners house.Relay attacks using a“live”signal 2024 Upstream Security Ltd.All Rights Reserved58In January 2023,a security research�������er discovered a vulnerability,described
285、in CVE-2022-38766,that impacts the remote keyless system on a French OEM vehicle mod������el.This vulnerability is based on the Rolling Code sets,a series of changing codes that is supposed to prevent replay attacks.In this case the researcher discovered that instead of generating new Rolling Code sets,th
286、e system was using the same Rolling Code sets for each door-open request.This vulnerability allows an attacker to intercept and replay the signals,using a specialized device,and manipulate the keyles������s system.104In February 2023,police in Glasgow,Scotland,issued a warning after 28 v������ehicles were stole
287、n in the city during January 2023,citing an increase in keyless vehicle thefts.105 On the same day,police in Suffolk,UK,warned citizens that keyless����� car theft has spiked after five luxury SUVs from a UK OEM were stolen in one month.106 Betwee������n March-May 2023,similar announcements were made by the Wa
288、terloo Regional Police in Belgium,107 the Worcestershire Police in the UK,108 and the Franconia Police in Germany.109 In August 2023,the UK government ��������announced plans to ban keyless vehicle hacking devices in an attempt to combat rising vehicle thefts,which have soared by 25%year-on-year.110In April
289、 2023,a cybersecurity researcher disclosed a �������new attack method,called CAN injection,which bypasses the entire smart key system by using a CAN injector device.111 The device c������an be connected to the control CAN bus from the headlight connector,the taillight connector,or even by punching a hole in a pa
290、nel where the twisted pair of CAN wires go right pastto impersonate the smart key ECU.The researcher discovered the method after conducting a lengthy digital forensic investigation into the July 2022 theft of his Japanese OEM vehicle,following two previous failed attempts.112 202����4 Upstream Security
291、Ltd.All Rights Reserved59ECUsElectronic C�������ontrol Units(ECUs)responsible for engine,steering,braking,windows,keyless entry,and various critical systemscan be interfered with or manipulated.Hackers try to manipulate ECUs and take control of their f�������unctions by running multiple sophisticated systems at t
292、he same time.In February 2023,the National Highway Traffic Safety Administration(NHTSA)ordered a recall of nearly 17������,000 Japanese OEM �����SUVs built between November 2019 and June 2021.Software in the Hybrid Vehicle Control ECU,which is used to calculate the hybrid battery output,may not limit battery o
293、utput as required,causing the hybrid system to shut down completely in certain conditions113.Its unclear what is the reason for the issue,but it could certainly evolve into a significant cyber risk.In November 2023,a hacker used a de������vice with a microcontroller to read the CAN bus of a Japanese OEM v
294、ehicle,allowing him to keep the vehicles ACC(accessory)relay energized when the engine is turned off,maintaini�����ng power to the stereo and infotainment system.114 This type of attack can lead to privacy violations,as well as potential exploitation of other vehicle systems.APIs Connected vehicles as we
295、ll as smart mobility IoT and services use a wide range of external and internal APIs,resulting in billions of transactions per month.OTA and telematics servers,OEM���� mobile apps,infotainment systems,mobility IoT devices,EV c����harging management,and billing apps all rely heavily on APIs.APIs also present
296、 significant and fleet-wide large-scale attack vectors,resulting in a wide range of cyber attacks,such as the theft of sensitive PII,backend system manipulation,or malicious remote vehicle control.2024 Upstream Security Ltd.All Rights Reserv�������ed60In contrast to hacking other types of systems,API hacki
297、ng is relatively cost-effective and offers the ability to execute large-scale attacksit requires rel�������atively low technical expertise,uses sta�������ndard techniques,and can be carried out remotely without special hardware.In the last two years,the Automotive industry and supply chains,as well as mobility de
������298、vices and services,have experienced a significant increase in data and privacy breaches due to API-based attacks.In January 2023,a group of security researchers published a lengthy writeup of their months-long work exploring the security of telematic systems,automotive APIs,and the infrastructure th
299、at supports them.They discovered multiple vulnerabilities across ������19 major global OEMs and suppliers that allowed them to remotely control vehicles and access sensitive OEM and consumer data.115 In March 2023,a security researcher disclosed that he gained access to a Japanese OEMs CRM database by mod
300、ifying the dev app to use the production APIwhich was unintentionally exposed through the loading spinner settings.A misconfigured API and a lack of proper authentication and verification resulted in the researcher being able to access na����mes,addr�����esses,phone numbers,email addresses,tax IDs,and vehicl
301、e/service/o�������wnership history of the OEMs customers.116In July 2023,security researchers reported three critical vulnerabilities found in the API interfaces of a Charging Station Management������� System(CSMS)platform from a Switzerland-based provider,allowing attackers to access files uploaded by other user
302、s,bypass the required provisioning PIN code(authentication),and hijack a chargers OCPP connection.117In November 2023,secu�����rity researchers from ASRG disclosed a vulnerability,described in CVE-2023-6073,11����8 which allows attackers to crash a specific ECU installed in German OEM vehicles and irreversib
303、ly change the volume to maximum levels via REST API call�������s.119 The same month,a Tier-2 supplier of a popular automotive platform chip disclosed a multi-mode call processor memory corruption vulnerability,described in CVE�����-2023-22388,120 that occurs while processing the bit mask API,causing unexpected
304、beha�������vior and crashing the system.121 2024 Upstream Security Ltd.All Rights Reserved61MOBILE APPLICATIONSIncreasingly connected and software-defined vehicles allow OEMs to provide remote services via vehicle companion apps and third-party apps,allowing owners to conveniently control critical function
305、s using their smartphones and devices.Using mobile applications,users can track the location of vehicles,open their doors,start their en����gines,turn on auxiliary devices,and more.The same apps that provide drivers with a digital experience can also be exploited by hackers to access the vehicle and bac
306、kend servers.Companion applications may also have common software vulnerabilities,including open-source vulnerabilitie������s,hard-coded credentials,and API/backend server weaknesses.OEM companion and smart mobility apps can also be used to commit identity theft.Black hat actors can������� exploit vulnerabilitie
307、s in mobile devices and application servers to obtain credential���s and compromise private user information on a large scale.In May 2023,security researchers reported a������ vulnerability,known as CVE-2023-29857,122 in a popular third-party application used by owners of US EV OEM.The vulnerability allows a
308、ttackers to obta��������in ������sensitive information by directly accessing the application link.123In June 2023,a popular ride-hailing service in Pakistan with over 10 million users was hacked,resulting in consumers receiving abusive messages and notifications.A third-party communication API had been compromise
309、d,according to the company.124 2024 Upstream Security Ltd.All Rights Reserved62INFOTAINMENT SYSTEM������SThe in-vehicle infotainment system(IVI)is one of the most common attack vectors.It connects to the internet,and is exposed to installed applications and short-range communications with mobile phones an
310、d bluetooth devices.As a result,it has access to PII.Additionally,IVI systems often connect to a vehicles internal networks,posing a serious risk to the vehicle����.IVI systems can be the path of least r�������esistance for malicious software to penetrate internal systems.In May 2023,a hacker and advocate for
311、open-source implemen�����tation in the Automotive industry,successfully hacked a Japanese OEMs infotainment system using a tool sold online and posted evidence of the exploit on GitHub.The hacker managed to install multiple applications via a USB drive,including a file manager and a third-party app over
312、t������he Transmission Control Protocol.125In August 2023,researchers from Germany successfully executed a jailbreak of a US EV OEMs IVI system using a voltage fault injection attack on the chi���p-makers processor that gave them nearly irrevocable root access.The attack allowed the researchers to run arbitr
313、�������ary software on the infotainment system and unlock paid features such as faster acceleration and heated seats.Additionally,the exploit facilitated the extraction of a vehicle-unique key(cryptosystem public key)used for authentication and authorization on the OEMs internal service network.With the ro
314、ot permissions gained through the exploit,a malicious actor could access private user data,decrypt encrypted NVMe(Non-Volatile Memory Express)storage,and manipulate the cars identity.126 2024 Upstream Security Ltd.All Rights Reserved63EV CHARGING INF�����RASTRUCTUREProviding a reliable and safe charging
315、infrastructure is essential to accelerating the adoption of electric vehicles.Bu����t today,many chargers,charging infrastructure components and related apps are vulnerable to physical and remote manipulation that can stop them from working reliably,expose EV users to fraud and ransom attacks,and have w
316、idespread implications on the charging network,local electric grid,or even vehicl��������e fleets.In January 2023,a hacker exploited a popular screen sharing program to gain access to the underlying Operating System(OS)of a new 350-kW charger from a US EV charging company.The hacker could access �������the OS menu
317、,open the web browser,and navigate to a competitor�������s website while the charger app remained running in the background.127 An earlier incident occurred in which anot�����her hacker gained access to the chargers critical settings and could view things such as overheat protection.128 In both cases,the incide
318、nts aimed to raise awareness for electric vehicle charging security concerns.In June 2023,security researchers discovered ������an internal databasehosted on one of the most popular public cloud platforms,with no password,that contained millions of logsnearly a teraby�������te of logging data belonging to a glob
319、al EV charging serv������ice provider with a worldwide network of hundreds of thousands of EV charging stations.The database contained sensitive information about customers who used the EV charging network,including customer names,email addresses,p�������hone numbers of fleet customers,names of fleet operators w
3��������20、ith vehicles that recharge the network,and vehicle identificat�������ion numbers(VINs),and locations of EV public and residential charging points.129 2024 Upstream Security Ltd.All Rights Reserved64BLUETOOTHBluetooth is a wireless communication technology that uses radio frequencies to connect devices and
321、share data.Bluetooth Low Energy(BLE)is the standard protocol used for sharing data between devices that vendors have adopted for proximity communication to unlock millions of vehicles,residential smart locks,co�����mmercial building access control systems,smartphones,smartwatches,laptops,and more.In Marc
322、h 2023,a team of French security researchers participating in a hacking contest demonstrated breaking into a US EV OEM IVI using an exploit.The exp������loit involved a heap overflow vulnerability and an out-of-bound������s write error in a Bluetooth chipset,giving the researchers root access to other subsystem
323、s.130 The exploit won the long-running c�������ontests first-ever Tier-2 award reserved for exceptionally impactful vulnerabilities and exploits,along with a$250,000 prize.131OTA UPDATESOver-the-Air(OTA)programming is a meth�����od for remotely managing software that allows for wireless distribution of new soft
324、ware,firmware,or configuration settings from a central location to all devices through the network.With the expansion of software-defined architectures,OTA updates enable OEMs and their Tier-1 a������nd Tier-2 suppliers to continuously update the SBOM to improve vehicle quality,safety,functionality and in
325�������、troduce new features.Remote updates,however,are riskier than physical ones because wireless communications opens the door to numerous cyber attacks that can affect ������multiple vehiclesand even entire fleets,at once.Additionally,updates could be crucial to the vehicles functionality.The failure of an OT
326、A update could cause a severe vehicle malfunct������ion,as it did in November 2023 for a US-based EV OEM.The OEM released and then abruptl��������y canceled an OTA update that offered bug fixes and improvements to a specific feature.As a result of the failed update,the infotainment systems,which are used to opera
327、te critical vehicle functions,of two vehicle models were bricked.Th������e OEM stated that the issue was caused by a human errorthe wrong build was sent out with the wrong security certificateand that an OTA update would���� be made available to fix the issue and restore full functionality.132As OTAs are used
328、 more frequently and leveraged by an increasing number of OEMs,Upstreams AutoThreat researchers continuously monitor OTA-related activities in the deep and dark ����web.Our researche������rs have identified a growing interest by adversaries in exploiting OTA updates to execute cyber attacks.2024 Upstream Secu
329、rity Ltd.All Rights Reserved65V2X ATTACKS ARE AT THEIR INFANCY,BUT ARE EXPECTED TO BECOME MUCH MORE FREQUENT IN THE COMING YEARSTelematics,smart mobilit�����y,in-vehicle/mobility IoT,and other services require connected vehicles to share data with servers,apps,and various vehicle components.Connected veh
330、icle-to-everything(V2X),is the collective term for the technology enabling vehicles,infrastructure,and other active road users to be in constant communication by �������lev������eraging existing cellular network infrastructure.There are seven primary modes of vehicle connectivity:Within a few years,vehicles will
331、 constantly communicate and interact with their surroundings through APIs,sensors,cameras,radars,mobility IoT modules,and more enhancing vehicle operation by processing va����rious inputs from the environment.The most profound addition will be the capa�����bility of a vehicle to communicate with other vehicl
332、es or devices on the road,and receive data from external sources such as EV chargers or road infrastructure.V2IVehicle to InfrastructureWireless exchange of data between the vehicle and road infrastructure to get information abo�����ut accidents,construction,parking,and more.V2vVehicle to VehicleData sha
333、ring between vehicles,typically including location,to avoid traffic jams and accidents.V2NVehicle to NetworkCommunication �����between vehicles,traffic lights,lane markings,and other forms of the road infrastructure network.V2CVehicle to CloudCommunication between a vehicle and cloud-based backend systems allows t�������he vehicle to process information and commands sent between services and applications.V2PV
sgpjbg002
工作日 9:30 - 18:00
会员动态:
报告分类
新质生产力
ChatGPT
新能源汽车
大模型
Sora
机器人
微短剧
芯片
薪酬
白皮书
低空经济
数据要素
创新药
人工智能
AI产业
信息科技
互联网
消费经济
汽车交通
电商零售
传媒娱乐
医药健康
投资金融
能源环境
地产建筑
传统产业
英文报告
其它
扫码登录
手机快捷登录
账号登录
