Automotive Cyber Incidents in H1 2019 Already Surpass All of 2018

As the number of connected vehicles on the road increases, along with the use of smart mobility services, we see a continued growth in the reported automotive cyber and fraud incidents. Understanding potential vulnerabilities and how criminals take advantage of them is key to preventing attacks in the future. At Upstream, our research team is constantly analyzing incidents as they occur with the goal of delivering this critical information while ensuring that our technology stays one step ahead of hackers and fraudsters.

In April 2019, we published our findings for Q1 of this year, which already showed a rapid increase in the number of incidents. Now, with H1 behind us, our research team has put together an updated blog based on reported incidents around the world.

#1: The number of automotive related incidents is growing exponentially

The number of incidents in H1 of 2019 (82) are more than double that of H1 (32) of the previous year. In only 6 months this year, we’ve seen more incidents than all of 2018 (75), and we’ve still got six more months to go. At this rate, we can expect even more incidents in H2 2019, likely doubling or even tripling the total this year compared to 2018. According to a report published on Internet of Business, major European economies may reach nearly 100% connected car penetration by next year (2020). The increase in incidents is directly linked to the growing demand and use of connected cars and smart mobility services, and it is critical to stay ahead of the potential risks to ensure the users’ safety and protect companies’ brand and assets.

#2: Growth in the number of black-hat (cyber criminals) attacks endangering human safety

65% of all incidents in H1 2019 were black-hat attacks, resulting in damaged property, stolen assets, damaged reputations, and even significant safety concerns to the public. In 2018, black hat incidents accounted for 55% compared to 45% white hat. Connected vehicles and smart mobility services provide perpetrators with new and more advanced ways to access sensitive data, damage property, steal vehicles, and hold brands ransom.

#3: Remote keyless entry systems account for 47% of incidents

This continues to be the trend, as we saw in Q1 2019. The vulnerability of remote keyless entry systems is a favorite with hackers. We’re also seeing an increase in the amount of attacks targeting commercial vehicles, in addition to privately owned cars. In June, we saw 14 cases in the UK where criminals used this vulnerability to target commercial vehicles and hold them ransom, demanding thousands of pounds for their return. Victims reported that they were threatened by the perpetrators if they went to the police. These criminals used a “relay attack” hacking technique which involves intercepting, amplifying, and relaying communication between the wireless entry key fob (usually located inside the victim’s house) and the vehicle (parked outside). The attack allowed hackers to open the car and start the engine without a key fob. In May, 28 Mercedes Sprinter vans were stolen in the UK where criminals used a transmitter to amplify the signal emitted from the key. Thankfully, and quite rarely, we also saw a few incidents where the police were able to apprehend the perpetrators. In Malaysia, police arrested 5 thieves after 11 vehicles were stolen, and in the UK, one of the first arrests were made in connection with keyless car theft.

Our research shows that the main impact of these “keyless incidents” is car theft, which accounts for 40% of all incidents, making it the most significant.

#4: Server-related hacks account for 18% of all incidents and include multi-vehicle attacks and ransomware

Server-related incidents involve attacks where hackers take control of backend servers (i.e., telematics servers) where they are then able to access sensitive data, remotely track and control vehicles, disrupt the company’s services, and more. One incident that stood out took place in April, when a hacker broke into thousands of GPS tracker app accounts, gaining access to the back-end service and in turn was able to access data and even control tens of thousands of vehicles around the world. Thankfully, this was done by a white-hat hacker who wanted to highlight the vulnerabilities and force these companies to address them. By accessing their servers, he was able to see the location of thousands of vehicles, access the sensitive and personal data of the app’s users, and even send commands to open doors and shut down engines while the car was moving, which could have put the passengers at risk. Another incident was reported in March, when vulnerabilities were exposed in two smart alarm systems that hackers were able to access via the telematics servers. This allowed hackers to potentially take over accounts, track vehicle locations, and send remote commands to vehicles, from unlocking doors to turning off engines.

The most safety critical impact of server-based attacks is when backend telematics servers are attacked, allowing hackers to remotely control the car’s systems. This is also the most dangerous, as it allows the perpetrator to lock and unlock doors and even shut down the engine while the vehicle is moving. Controlling car systems accounts for 18% of the overall impact, putting it in second place overall.

Another impact we’ve found as a result of server-based attacks is access to sensitive data, either personal or organizational. This resulted in 11% of the overall impact of H1 incidents. Ransomware, amongst others became an apparent mechanism to target numerous companies.

#5: Mobile attacks account for 8% of incidents

Mobile apps are increasing in use due to their high demand and convenience, but they are also used as another entry point to access servers and vehicles. In April, we saw an incident on a popular telematics system. A vulnerability in the mobile apps  allowed hackers to remotely send commands and retrieve data, granting them unauthorized physical access to the vehicle. The maker of the popular vehicle telematics system has left hardcoded credentials inside its mobile apps, leaving tens of thousands of cars vulnerable to hackers. The implications here to physical safety are immense.

Our research shows that the impact of mobile attacks varies. Disruption of the business’ services, which accounts for 15% of the overall impact, is prevalent. We saw this in the US when a group of black-hat attackers in Chicago used the Car2Go app to steal luxury vehicles. As a result, Car2Go halted their service over the entire Chicago area. According to Car2Go, this incident not only involved the mobile app, but included fraudulent methods. Fraud accounts for 8% of the overall impact in H1 of 2019.

#6: OBD port related incidents resulted in 6.5% of all attacks in 2019

In May, an OBD related attack led a Tesla vehicle to shut down. When hackers attached an ELM327 OBD-II Bluetooth module to the vehicle’s diagnostic interface, they could analyze traffic and read/send CAN messages. By replicating existing messages of random length and content, the hackers were able to generate an influx of error messages which led to a shutdown of the front and rear motors.

The impact in this case was two-fold – not only a disruption to the company’s services, but shutting down motors could be potentially life-threatening.

Summary

Analyzing these incidents is critical to understanding automotive cyber threats and how to address them in this industry. The increased use of connected vehicles and smart mobility services together with the rising number of incidents is undeniable, and the severity of these attacks threatens companies as well as consumers. We will continue to monitor and analyze incidents as they occur, allowing us to stay one step ahead of perpetrators as our platform evolves.

Get more information on reported automotive cyber incidents and subscribe to updates on new incidents on Upstream’s research page.