A lot of good things are possible as a result of the transition to the software-defined vehicle.
For automakers, the movement to SDVs can open up access to vast amounts of data on how consumers use their cars and offer lucrative new revenue streams that some project could add tens of billions of dollars annually to their coffers. For the consumer, owning an SDV promises access to a continuous flow of new features, services and updates that could keep their vehicle fresh long after it has left the showroom.
But the more software onboard, the more prone a vehicle is to cyberattack, says Shira Sarid-Hausirer, vice president of marketing for cybersecurity firm Upstream Security. And that could frustrate consumers, put their personal information at risk and cost OEMs millions of dollars to resolve a breach that impacts thousands or even millions of vehicles on the road in a single stroke.
“All automakers will be impacted (by cyberattacks), but the ones that push out smart vehicles the fastest will be the most vulnerable,” the Upstream executive says, pointing out lines of code – and, thus, potential points of attack – could reach 600 million in newer vehicles, about six times today’s levels.
The problem, Sarid-Hausirer says in a media backgrounder on Upstream’s latest annual report on automotive cybersecurity attacks, is that the threat to the industry from nefarious actors already has reached an inflection point.
Upstream looked closely at 295 publicly reported cyberattacks in 2023, a figure that was up slightly from 2022. Of the total, 64% were launched by malicious Black Hat hackers. But more important than the number of breaches is how they were done and what the cybersecurity thieves were targeting, Sarid-Hausirer says.
For example, 85% of the hacks were performed at long distance – no one ever touched the vehicle that was compromised, a considerable jump from 70% in 2022, meaning attacks can come from anywhere in the world.
More alarming is the number of vehicles that potentially could have been impacted by the cyberthreats, with 49% of the hacks covering either a high (in the thousands) or massive (in the millions) number of vehicles on the road, more than double the 23% penetration in 2022. When Upstream looked only at some 135 Black Hat hacks, the potential high/massive impacts accounted for 67% of the attacks.
About 13% of those Black Hat attacks were made through application programming interfaces (APIs) – the coding that allows one piece of software to communicate with another or directly with the cloud, up only a point from 2022. But the sheer number of vehicles that can be reached through APIs as vehicles become more software-defined is increasing at a robust clip, meaning attacks made in this way have the potential to impact a huge number of vehicles in the near future, Sarid-Hausirer points out.
Most of the 2023 Black Hat attacks were aimed at multiple OEMs, with 59% of the hacks focused on several global or regional automakers simultaneously.
Perhaps most concerning for consumers, 12% of the Black Hat hacks focused on acquiring personal information accessible via a vehicle’s apps, meaning things like credit card numbers and other financial-related personal information stored on the vehicle or connected to the vehicle via the cloud could be at risk.
Generative artificial intelligence, another tool that offers a lot of positives for software developers and consumers, also is being used by nefarious actors to speed up and broaden the impact of cyberattacks, Sarid-Hausirer says.
“Attackers are leveraging Generative AI to automate the attack process and to learn (the intricacies of a piece of software),” she says. “It’s lowering the barrier to attacks.”
In one impact model, Upstream estimates an OEM could face a cost of up to $50 million if one of its battery-electric vehicles were to be hacked through its battery-management or charging software. The estimate includes the cost of potential vehicle and battery recalls and repairs, as well as legal and regulatory compliance, including potential class-action lawsuits initiated by inconvenienced customers.
To counter, Upstream, which offers a cyberattack monitoring platform and service, says automakers will have to protect their data not only on the vehicle but in the cloud. And they also must monitor the Dark Web, where nefarious actors often share information and signal their plans and objectives. Upstream also recommends a “shift left” mentality that would push cybersecurity protection up the OEM’s product-development chain into the R&D department.
“Automakers will need to be proactive,” Sarid-Hausirer says.