A newly released report points to a growing threat focused on automotive cyber attacks, according to VicOne, an automotive cybersecurity provider.

Supply chains appear to be the major source of growth in automotive cyber attacks, the report found.

The “Automotive Cyberthreat Landscape Report 2023” is based on data provided by automotive original equipment manufacturers (OEMs), suppliers and dealers globally.

Analysis indicates a surge in usage and monetization of automotive data. This could lead to data exploitation by cyber criminals, the report added.

“In our analysis of the threat landscape, we noticed that the losses from cyber attacks in the first half of the year exceeded $11 billion, marking an unprecedented surge compared to the last two years,” the report stated.

“A closer examination reveals that these cyber attacks predominantly targeted automotive suppliers, indicating a rising trend. Alarmingly, over 90 percent of these attacks were not aimed at OEMs themselves but rather at other entities in the supply chain. Attackers often find it difficult to penetrate well-protected companies, so they target less vigilant firms instead. But OEMs are affected all the same, because of the supply chain disruptions,” it added. “Consequently, defending systems against cyber attacks is no longer just about securing an individual firm; it is about strengthening the entire supply chain.”

The new VicOne report highlights data vulnerability in the wake of the increasing complexity of vehicles and their integration of connectivity, automation and advanced driver assistance systems (ADAS).

Industry losses are growing from cyber attacks, such as ransomware and exposure of leaked data or personally identifiable information (PII), as well as costs associated with system downtime.

The calculations within the report are based only on tangible costs related to technology and operations and not intangible costs such as branding, public relations, sales and marketing expenses.

The report identifies top vulnerabilities by which vehicle data can be compromised, listing common weakness enumeration (CWE) vulnerabilities in tables, out-of-bounds write (OOBW), out-of-bounds read (OOBR), buffer overflow, use after free and improper input validation vulnerabilities as the most frequent issues found.

Most of the issues were found on chipsets or systems-on-chip (SoCs), followed by vulnerabilities in third-party management applications and in-vehicle infotainment (IVI) systems, the VicOne report noted.

Third-party suppliers like logistics and service providers and companies engaged in the production of components, accessories or parts emerged as a growing focus of attacks, VicOne added.

Key incidents from the last year are highlighted, including the Zenbleed vulnerability, potentially leading to the leakage of sensitive data at a remarkably fast rate of 30kb/s per core; Controller Area Network (CAN) bus injection pretending to be a smart key, an emerging favorite technique among vehicle thieves; and penetration of backend cloud infrastructure, by exploiting vulnerabilities in telematics systems and application programming interfaces (APIs).

While noting that there is currently a regulatory vacuum when it comes to vehicle data, the report points out that UN R155 will mandate safety conditions for newly manufactured cars by July 2024.

“It’s clear that the automotive industry needs to give higher priority to cybersecurity, in terms of resources and budget. That is something that must be happening continually—building up the processes, building up the organization, building up the talent, building up the entire system—or you will never be able to implement cybersecurity effectively,” said Max Cheng, chief executive officer of VicOne. “Now is the time for organizations throughout the global automotive industry to get serious about exploring how to build up their capabilities across the important focus areas that our new report covers.”

The full report is available at https://vicone.com/reports/automotive-cybersecurity-report-2023