The modern car has more lines of code than an F-35 fighter jet, and consists of more than a hundred electronic control units (ECUs) that manage everything from engine and brake operation to air conditioning and the multimedia system. It is equipped with a whole arsenal of sensors, radars and cameras, and with built-in cellular modems, it has a constant connection to the Internet. The vehicle has ceased to be a purely mechanical device. It has become an advanced, driving data center - a complex “computer on wheels.” This digital transformation, while driving a revolution in autonomous driving and online services, has simultaneously opened a Pandora’s box of a whole new class of threats.
Automotive cybersecurity has ceased to be a theoretical problem and has become one of the biggest challenges for the entire industry. The ability to remotely take control of brakes, steering or engine operation, demonstrated by security researchers years ago, has made everyone realize that the stakes in this game are unprecedented. It’s no longer just about stealing data or money. It’s about the physical safety, health and lives of drivers, passengers and other road users.
Shortcuts
- Why has the modern car become a “computer on wheels” and a target for hackers?
- What are the key attack vectors for connected cars?
- What is the “suitcase” attack (relay attack) and how does it work in keyless entry systems?
- What is the CAN bus and why is its compromise so dangerous?
- What is the ISO/SAE 21434 standard and what role does it play in building safe vehicles?
- How does nFlo support the automotive industry in testing and securing products?
Why has the modern car become a “computer on wheels” and a target for hackers?
The evolution of the car mirrors the evolution of all technology. Every new feature - from ABS to navigation to parking assistants and adaptive cruise control - has required the addition of another electronic control unit (ECU) and thousands more lines of code. All of these distributed “brains” must communicate with each other, creating a complex internal network, most often based on the CAN bus.
At the same time, customer expectations have forced manufacturers to connect this internal, closed network to the outside world. Infotainment systems must access the Internet to download maps and music. Mobile apps allow you to remotely start the air conditioning or check the battery charge. Software updates (OTA - Over-the-Air) are sent directly to the vehicle.
Each of these points of contact with the outside world - a cellular modem, Bluetooth module, Wi-Fi, or even a USB port - becomes a potential attack vector. A hacker who finds a vulnerability in one of these interfaces can gain an initial foothold and then try to penetrate the vehicle’s internal network and affect the operation of critical components.
📚 Read the complete guide: SOC: Security Operations Center - czym jest, jak działa, jak wybrać
What are the key attack vectors for connected cars?
The attack surface of a modern vehicle is vast and includes both remote attacks and those requiring physical proximity.
Remote attacks:
-
Compromising telematics and infotainment systems: This is the most common vector. Vulnerabilities in a multimedia system, its web browser or in third-party applications can allow remote code execution.
-
Attacks on manufacturer’s backend infrastructure: Hackers can attack the manufacturer’s servers with which cars communicate to send malicious software updates en masse to the entire fleet.
-
Mobile app attacks: Vulnerabilities in a mobile app used to remotely manage a vehicle can allow functions such as opening doors or starting the engine to take control.
Local/close-range attacks:
-
Attacks on wireless interfaces: Vulnerabilities in the implementation of Bluetooth or Wi-Fi protocols can be exploited to attack when the attacker is near a vehicle.
-
Theft “by suitcase” (relay attack): An attack on keyless access systems.
-
Attacks on physical ports: connecting a malicious device to an OBD-II diagnostic port or USB port.
What is the “suitcase” attack (relay attack) and how does it work in keyless entry systems?
The “suitcase” attack is one of the most popular and media-savvy methods of stealing modern cars, which takes brutal advantage of the way keyless entry systems work.
The system relies on continuous, low-power radio communication between the key and the car. When the owner, with the key in his pocket, approaches the car and pulls the door handle, the car sends a “are you around?” signal. The key receives this signal and sends back a response, allowing the door to be unlocked. The range of this communication is deliberately limited to about one meter to prevent the car from being opened from a distance.
The “suitcase” attack requires the cooperation of two thieves, equipped with special devices (suitcases) that act as amplifiers and transmitters of radio signals.
-
Thief A approaches with one “suitcase” as close as possible to the house or building where the owner is located with the original key (e.g., he stands under a window or front door). His device intercepts the weak signal emitted by the key.
-
This signal is amplified and retransmitted to thief B, who is standing with a second “suitcase” right next to the car.
-
Thief B’s device “pretends” to be the original key in front of the car, sending him the captured and amplified signal.
-
The car “thinks” that the key is right next to it, and allows you to open the door and start the engine.
Defenses against this attack include manufacturers’ use of motion-sensing keys (which turn off when the key lies still) and storing keys at home in special shielded cases (known as Faraday cages).
What is the CAN bus and why is its compromise so dangerous?
The CAN (Controller Area Network) bus is a communication network standard that has been the de facto nervous system of every vehicle for years. It is the network through which all electronic control units (ECUs) communicate with each other - from the engine controller to the ABS system and airbags to the radio and air conditioning control module.
For historical reasons, the CAN bus was designed for reliability and low cost, not security. In its basic form, it has no authentication or encryption mechanisms. This means that any device connected to the bus can “talk” to any other and send any command. Full implicit trust reigns.
CAN compromise is so dangerous because it gives an attacker direct access to systems critical to driving safety. An attacker who has gained access to the internal network (e.g., through a vulnerability in the infotainment system) can start sending forged messages to the CAN bus that pretend to be commands from legitimate controllers. In doing so, it can send a command to “activate the brakes,” “turn off the engine” or “turn the steering wheel,” leading to a potentially catastrophic loss of control of the vehicle by the driver. Securing and segmenting the CAN bus is one of the biggest challenges for engineers today.
Main vectors of attacks on connected vehicles and methods of defense
| Attack vector | Description | A key defense mechanism |
|---|---|---|
| Attacks on keyless access | Intercepting and amplifying the key signal to open and start the vehicle (a “suitcase” attack). | Use of motion-sensing keys. Implementation by manufacturers of protocols resistant to relay attacks. |
| Attacks on telematics and infotainment systems | Exploiting vulnerabilities in the media system, browser or applications to gain initial access to the vehicle’s network. | Hardening of systems, regular software updates (OTAs), rigorous separation of infotainment networks from critical networks. |
| Attacks on the internal network (CAN bus) | Sending forged messages to the CAN bus to take control of the vehicle’s physical functions (brakes, steering wheel). | Segmentation of the internal network, implementation of gateways (gateways) with firewall and IDS functions that filter communications with CAN. |
| Attacks on the vendor’s backend/cloud | Compromise the manufacturer’s servers to send a malicious update en masse or steal data from an entire fleet of vehicles. | Rigorous security of cloud infrastructure, secure software update (OTA) process, mutual authentication. |
What is the ISO/SAE 21434 standard and what role does it play in building safe vehicles?
In response to growing threats and pressure from regulators (especially in Europe and Japan), the automotive industry has developed the first comprehensive international standard devoted entirely to cybersecurity engineering for road vehicles: ISO/SAE 21434 “Road vehicles - Cybersecurity engineering.”
This standard is not a list of specific, technical safeguards to be implemented. It is a process standard that defines a framework (framework) for managing cybersecurity risks through the entire life cycle of a vehicle - from conception, through design and production, to the operation and decommissioning phases.
ISO/SAE 21434 requires manufacturers and their suppliers to implement a Cybersecurity Management System (CSMS). It forces organizations to, among other things:
-
Have formal cybersecurity policies and processes in place.
-
Conduct Threat Analysis and Risk Assessment (TARA) at each stage of the project.
-
Implementing “security by design” principles.
-
Validation and safety testing of products.
-
Managing incidents and vulnerabilities in products that are already on the market.
This standard is becoming de facto mandatory, as it is a key tool for demonstrating compliance with new, legally binding regulations such as UNECE WP.29.
How does nFlo support the automotive industry in testing and securing products?
The automotive (vehicle) industry is a unique ecosystem where the world of advanced software meets the world of mechanical engineering and stringent physical security requirements. At nFlo, we have specialized expertise to support vehicle manufacturers and their suppliers (Tier 1, Tier 2) in meeting new cyber security challenges.
Related Terms
Learn key terms related to this article in our cybersecurity glossary:
- Security Operations Center (SOC) — Security Operations Center (SOC) is a central location where a team of security…
- SOC as a Service — SOC as a Service (Security Operations Center as a Service), also known as…
- Network Security — Network security is a set of practices, technologies, and strategies aimed at…
- Cybersecurity — Cybersecurity is a collection of techniques, processes, and practices used to…
- Cybersecurity Incident Management — Cybersecurity incident management is the process of identifying, analyzing,…
Learn More
Explore related articles in our knowledge base:
- 12 Tips to Improve Cybersecurity in Your Organization
- A modern approach to monitoring IT environments - a guide
- ARTEMIS: Innovative Cybersecurity Workshops
- Board Responsibility for OT Cybersecurity Under NIS2
- CEO fraud (BEC): How to protect your company’s finances from the most expensive cyber attack?
Explore Our Services
Need cybersecurity support? Check out:
- Security Audits - comprehensive security assessment
- Penetration Testing - identify vulnerabilities in your infrastructure
- SOC as a Service - 24/7 security monitoring
