With the rapid growth of connected cars and the involvement of multiple supply chain participants in the sales and operations process, automotive manufacturers (OEMs) need to rethink their approach to information security. The number of incidents related to attacks on OEM infrastructure is steadily increasing and their impact is becoming more widespread.
In this issue, we:
And, of course, we give our recommendations for improving vehicle cybersecurity.
As the use of electronics in transportation has become ubiquitous in recent decades, the ability of cars to monitor and record what is happening inside and outside the vehicle has changed. Connected cars are able to exchange such information with other devices, including other vehicles, over the internet. Their numbers are growing rapidly and they are part of the larger internet of things (IoT) ecosystem.
More than 400 million connected cars are projected to be in use by 2025, up from about 237 million in 2021. In 2020, around 30 million new connected cars were sold globally, representing about 41% of all new car sales. By 2030, 96% of all new cars sold are expected to be connected.
With the rapid growth of digitalization in the automotive industry, there has also been a significant shift in the way cybersecurity is approached.
In the past, the security of the vehicle coming off the assembly line was considered separately from the security of the manufacturer’s infrastructure. Now that the car, once on the road, continues to be closely connected to the manufacturer’s infrastructure (connected cars), it is necessary to consider the security of the distributed information system as a whole.
The main elements of an automotive OEM’s infrastructure are cloud-based services, including fleet management systems, telematics services, over-the-air (OTA) updates and diagnostics, often provided by third parties. In addition, OEMs also use server systems associated with manufacturing processes, development and operations support, and employee workstations, which are not always properly isolated from each other.
All elements of this system are now interconnected, interdependent and often have defensive weaknesses that attackers can exploit.
The OEM backend’s default trust in the data coming from the vehicle and, conversely, the vehicle’s unconditional trust in remote commands from the automaker’s infrastructure can lead to cyber incidents.
This new reality is reflected in numerous cases, such as the hacking of Toyota, which made headlines in August this year. Hackers stole 240 GB of data from Toyota’s US division, including information about employees, customers, contracts and even the company’s network infrastructure. This case illustrates how a vulnerability in one element of an automaker’s infrastructure can lead to the leak of sensitive data and compromise of the company’s network systems. Full details of the incident have not yet been released, so the scale of the incident can only be guessed at.
It’s important to note that this isn’t the first time Toyota has faced a serious incident. In 2023, the ransomware group Medusa attacked the company’s subsidiary Toyota Financial Services, compromising customers’ confidential and financial information. And in the summer of that year, it was discovered that data on two million cars and their owners had leaked from one of Toyota’s cloud services over a 10-year period.
The automaker could face huge fines for violating the General Data Protection Regulation (GDPR), and car owners could face an increased risk of car theft, for example, if their travel data is leaked.
However, Toyota is not the only automaker experiencing large-scale attacks on its infrastructure. To date, there is no published data that attackers managed to gain access to an automaker’s fleet management servers, but researchers are seeing a significant increase in incidents in this area.
For example, similar vulnerabilities were found and demonstrated by ethical hackers in the case of the 2023 HopeChart HQT401 telematic control unit (T-Box).
HopeChart IoT Technology manufactures T-Box devices for fleet management and telematics data. These electronic control units are used both in truck manufacturing plants and in the aftermarket for existing vehicles. One example of the use of T-Boxes is the cooperation with Sany, the world’s third largest heavy equipment manufacturer, which produces over one hundred thousand excavators annually. Telematic control units enable efficient management of telematics and machine monitoring, which is critical to ensure high productivity and reduce operating costs.
Enthusiasts were able to gain access to the telematics data from all the units and subsequently to Sany’s MQTT Fleet Management Server. The MQTT server is used to send telemetry data and receive commands, acting as an intermediary for internet of things (IoT) devices to interact with each other. During testing, it was discovered that the server didn’t use authentication or encryption to connect, allowing the researchers to access data from all fleet vehicles connected to that server, including vehicle identification by ICCID (Integrated Circuit Card Identifier). In addition to monitoring the telemetry of all vehicles, the researchers were able to send commands by masquerading as one of those vehicles or the backend itself on the automaker’s side. The discovery of this vulnerability made it possible to view data such as GPS position, speed, engine RPM, fuel level and other metrics, as well as diagnostic errors and CAN traffic transmitted during certain events.
HopeChart devices are used in trucks from manufacturers such as JMMC, which produces a large number of vehicles for domestic and international markets, as well as Beiben Truck, Sinotruk, and other major industry players, including both Chinese and European manufacturers.
It should be noted that it is not known to what extent and for which specific vehicle models the vulnerable HopeChart HQT401 ECUs have been used, but their widespread use indicates the risk of cyberattacks with serious consequences.
Security analysts also confirm the alarming situation. Upstream’s 2024 report notes a significant increase in attacks against telematics servers and OEM backend server infrastructure:
In 2023, incidents targeting backend servers (telematics, applications, etc.) as well as infotainment systems in the automotive and smart mobility ecosystem increased dramatically. Server incidents increased from 35% in 2022 to 43% in 2023, and infotainment system incidents nearly doubled from 8% in 2022 to 15% in 2023.
The Upstream report also found that as software-defined vehicles (SDVs) evolve and the number of connected vehicles increases, the threat of cyberattacks continues to grow. By 2023, 95% of all attacks on automotive systems were remote, with 85% of them being long-lasting.
Importantly, the number of broad impact attacks has increased 2.5 times. This underscores that attacks on automobiles can have wide-ranging effects, simultaneously affecting millions of vehicles and users in different countries.
It should be noted that due to the peculiarities of the infrastructure in the transportation industry (as well as in industry in general), cybersecurity measures that have long been widely used in other sectors and are considered absolutely necessary, such as control and delimitation of client access to cloud services and cloud services to client software, are often not implemented.
The first thing that needs to be implemented in the new cybersecurity paradigm for connected vehicles is a strict authorization policy for every command sent to a vehicle from the cloud infrastructure. Placing complete trust in remote commands or data from a vehicle can lead to serious incidents. All data must pass through identity and access management (IAM) systems at the vehicle level.
Command data must also be analyzed in the Vehicle Security Operation Center (VSOC). VSOC enables real-time monitoring and prevention of cyberattacks, providing security professionals with up-to-date information on incidents and threats.
By implementing these security measures, automakers can better protect both infrastructure and connected vehicles, minimizing the risk of attacks and data breaches. Detailed requirements for vehicle cybersecurity are set out in UN regulation UN R155, which has been mandatory for all new vehicles since July 2024.
In summary, the growing interconnectivity of vehicles with cloud infrastructures clearly requires a rethinking of current approaches to cybersecurity. Automakers must proactively implement strong authorization policies, develop real-time monitoring and incident response through VSOCs, and pay attention to protecting both vehicles and their network infrastructure to counter growing threats.
Kaspersky experts can help you understand how to create and implement cybersecurity processes in organizations participating in the automotive supply chain, based on the current requirements of international standards and regulations.
When designing new cars, many aspects of cybersecurity can be taken into account at the architectural level in the very first stages of the car’s development, with the help of the centralized Kaspersky Automotive Secure Gateway (KASG). The gateway implements two-way authentication when communicating with the automaker’s cloud and when authorizing any external vehicle control commands. This significantly reduces the likelihood of hacking and unauthorized access to the vehicle and subsequently to the manufacturer’s information infrastructure.
With the rapid growth of connected cars and the involvement of multiple supply chain participants in the sales and operations process, automotive manufacturers (OEMs) need to rethink their approach to information security. The number of incidents related to attacks on OEM infrastructure is steadily increasing and their impact is becoming more widespread.
In this issue, we:
And, of course, we give our recommendations for improving vehicle cybersecurity.
As the use of electronics in transportation has become ubiquitous in recent decades, the ability of cars to monitor and record what is happening inside and outside the vehicle has changed. Connected cars are able to exchange such information with other devices, including other vehicles, over the internet. Their numbers are growing rapidly and they are part of the larger internet of things (IoT) ecosystem.
More than 400 million connected cars are projected to be in use by 2025, up from about 237 million in 2021. In 2020, around 30 million new connected cars were sold globally, representing about 41% of all new car sales. By 2030, 96% of all new cars sold are expected to be connected.
With the rapid growth of digitalization in the automotive industry, there has also been a significant shift in the way cybersecurity is approached.
In the past, the security of the vehicle coming off the assembly line was considered separately from the security of the manufacturer’s infrastructure. Now that the car, once on the road, continues to be closely connected to the manufacturer’s infrastructure (connected cars), it is necessary to consider the security of the distributed information system as a whole.
The main elements of an automotive OEM’s infrastructure are cloud-based services, including fleet management systems, telematics services, over-the-air (OTA) updates and diagnostics, often provided by third parties. In addition, OEMs also use server systems associated with manufacturing processes, development and operations support, and employee workstations, which are not always properly isolated from each other.
All elements of this system are now interconnected, interdependent and often have defensive weaknesses that attackers can exploit.
The OEM backend’s default trust in the data coming from the vehicle and, conversely, the vehicle’s unconditional trust in remote commands from the automaker’s infrastructure can lead to cyber incidents.
This new reality is reflected in numerous cases, such as the hacking of Toyota, which made headlines in August this year. Hackers stole 240 GB of data from Toyota’s US division, including information about employees, customers, contracts and even the company’s network infrastructure. This case illustrates how a vulnerability in one element of an automaker’s infrastructure can lead to the leak of sensitive data and compromise of the company’s network systems. Full details of the incident have not yet been released, so the scale of the incident can only be guessed at.
It’s important to note that this isn’t the first time Toyota has faced a serious incident. In 2023, the ransomware group Medusa attacked the company’s subsidiary Toyota Financial Services, compromising customers’ confidential and financial information. And in the summer of that year, it was discovered that data on two million cars and their owners had leaked from one of Toyota’s cloud services over a 10-year period.
The automaker could face huge fines for violating the General Data Protection Regulation (GDPR), and car owners could face an increased risk of car theft, for example, if their travel data is leaked.
However, Toyota is not the only automaker experiencing large-scale attacks on its infrastructure. To date, there is no published data that attackers managed to gain access to an automaker’s fleet management servers, but researchers are seeing a significant increase in incidents in this area.
For example, similar vulnerabilities were found and demonstrated by ethical hackers in the case of the 2023 HopeChart HQT401 telematic control unit (T-Box).
HopeChart IoT Technology manufactures T-Box devices for fleet management and telematics data. These electronic control units are used both in truck manufacturing plants and in the aftermarket for existing vehicles. One example of the use of T-Boxes is the cooperation with Sany, the world’s third largest heavy equipment manufacturer, which produces over one hundred thousand excavators annually. Telematic control units enable efficient management of telematics and machine monitoring, which is critical to ensure high productivity and reduce operating costs.
Enthusiasts were able to gain access to the telematics data from all the units and subsequently to Sany’s MQTT Fleet Management Server. The MQTT server is used to send telemetry data and receive commands, acting as an intermediary for internet of things (IoT) devices to interact with each other. During testing, it was discovered that the server didn’t use authentication or encryption to connect, allowing the researchers to access data from all fleet vehicles connected to that server, including vehicle identification by ICCID (Integrated Circuit Card Identifier). In addition to monitoring the telemetry of all vehicles, the researchers were able to send commands by masquerading as one of those vehicles or the backend itself on the automaker’s side. The discovery of this vulnerability made it possible to view data such as GPS position, speed, engine RPM, fuel level and other metrics, as well as diagnostic errors and CAN traffic transmitted during certain events.
HopeChart devices are used in trucks from manufacturers such as JMMC, which produces a large number of vehicles for domestic and international markets, as well as Beiben Truck, Sinotruk, and other major industry players, including both Chinese and European manufacturers.
It should be noted that it is not known to what extent and for which specific vehicle models the vulnerable HopeChart HQT401 ECUs have been used, but their widespread use indicates the risk of cyberattacks with serious consequences.
Security analysts also confirm the alarming situation. Upstream’s 2024 report notes a significant increase in attacks against telematics servers and OEM backend server infrastructure:
In 2023, incidents targeting backend servers (telematics, applications, etc.) as well as infotainment systems in the automotive and smart mobility ecosystem increased dramatically. Server incidents increased from 35% in 2022 to 43% in 2023, and infotainment system incidents nearly doubled from 8% in 2022 to 15% in 2023.
The Upstream report also found that as software-defined vehicles (SDVs) evolve and the number of connected vehicles increases, the threat of cyberattacks continues to grow. By 2023, 95% of all attacks on automotive systems were remote, with 85% of them being long-lasting.
Importantly, the number of broad impact attacks has increased 2.5 times. This underscores that attacks on automobiles can have wide-ranging effects, simultaneously affecting millions of vehicles and users in different countries.
It should be noted that due to the peculiarities of the infrastructure in the transportation industry (as well as in industry in general), cybersecurity measures that have long been widely used in other sectors and are considered absolutely necessary, such as control and delimitation of client access to cloud services and cloud services to client software, are often not implemented.
The first thing that needs to be implemented in the new cybersecurity paradigm for connected vehicles is a strict authorization policy for every command sent to a vehicle from the cloud infrastructure. Placing complete trust in remote commands or data from a vehicle can lead to serious incidents. All data must pass through identity and access management (IAM) systems at the vehicle level.
Command data must also be analyzed in the Vehicle Security Operation Center (VSOC). VSOC enables real-time monitoring and prevention of cyberattacks, providing security professionals with up-to-date information on incidents and threats.
By implementing these security measures, automakers can better protect both infrastructure and connected vehicles, minimizing the risk of attacks and data breaches. Detailed requirements for vehicle cybersecurity are set out in UN regulation UN R155, which has been mandatory for all new vehicles since July 2024.
In summary, the growing interconnectivity of vehicles with cloud infrastructures clearly requires a rethinking of current approaches to cybersecurity. Automakers must proactively implement strong authorization policies, develop real-time monitoring and incident response through VSOCs, and pay attention to protecting both vehicles and their network infrastructure to counter growing threats.
Kaspersky experts can help you understand how to create and implement cybersecurity processes in organizations participating in the automotive supply chain, based on the current requirements of international standards and regulations.
When designing new cars, many aspects of cybersecurity can be taken into account at the architectural level in the very first stages of the car’s development, with the help of the centralized Kaspersky Automotive Secure Gateway (KASG). The gateway implements two-way authentication when communicating with the automaker’s cloud and when authorizing any external vehicle control commands. This significantly reduces the likelihood of hacking and unauthorized access to the vehicle and subsequently to the manufacturer’s information infrastructure.