Navigating the Risks of Automotive Subscription Revenue Streams: Cyber Hacking Enables Bypassing, Tampering and Fraud
“A significant increase in hacking attempts by vehicle owners is expected, aimed at bypassing premium costs by manipulating systems fraudulently.” – Upstream Security 2023 Global Automotive Cybersecurity Report, Section 8: Predictions for 2023.
Vehicle subscription services are becoming more popular as automakers look to generate revenue through subscription fees for in-car features, services, and upgrades. According to a report by McKinsey, these services are expected to increase automotive revenue by 30% over the next decade.
Tesla was one of the pioneers of in-vehicle purchases and microtransactions, offering upgradable software-locked capabilities such as acceleration boost, range boost, premium connectivity, Autopilot, and self-driving capabilities. Many OEMs were soon to follow, tapping into this growing and attractive revenue model. With software-defined vehicles and application programming interfaces (APIs), automakers can patch problems, unlock pre-built functionalities, and add new features with over-the-air software updates, creating new innovative revenue streams.
As often happens with digital transformations, increased connectivity also introduces new attack vectors for hackers to exploit. But implementing a subscription model to unlock functionalities and capabilities may lead to greater chances of consumers jail-breaking their vehicles. This move by consumers introduces cybersecurity concerns and the likelihood of fraud being committed intentionally or unintentionally.
In 2022, a German OEM announced subscriptions for heated seats; this sparked a backlash among vehicle owners and calls for hacking. Within a week of the announcement, hackers claimed to have unlocked the subscription-only feature. Additionally in June 2022, as an experiment, an electric vehicle was hacked, and the speed limitations were removed. As a result, the vehicle reached a top speed of 216 mph. The hack was done by a Canadian-based CEO on a vehicle that included bigger brakes and higher performance tires, with the modifications done mostly for safety reasons. Accordingly, a regular car might have burnt up its tires and wouldn’t be able to perform a safe halt if it had reached such high speeds.
Microtransactions and subscription-based services also require more personally identifiable information (PII) and digital user fingerprinting, introducing user IDs as another potential attack vector. Credentials shared by users or administrators, whether intentionally or unintentionally, can be used by hackers to gain access to networks, systems, and applications.
Tampering with a vehicle’s odometer system costs American car buyers over $1 billion annually
Consumers might tamper with a vehicle’s systems to bypass limitations, avoid payment systems, or manipulate usage data, all negatively impact the value and maintenance of a vehicle. If a consumer disables or manipulates the data of systems used to track usage to avoid being charged on a mileage-based warranty, they would be committing fraud.
Rolling back the odometer to reduce the mileage is one way in which consumers seek to manipulate data on vehicles to avoid paying for services. Odometer rollback alone is estimated by NHTSA to impact 450,000 vehicles sold each year, costing American car buyers over $1 billion annually.
Additionally, tampering could void the vehicle’s warranty since most vehicle warranties include provisions stating that the warranty will be void if the vehicle is modified or repaired by anyone other than an authorized dealer or manufacturer. Suppose consumers tamper in an attempt to access locked features. In that case, they may be responsible for paying for any repairs or replacements out of pocket, a potentially high price to pay in place of a low monthly subscription fee.
Bypassing subscription costs can have major consequences for connected vehicles
Consumers seeking to bypass subscriptions can introduce malware and major cybersecurity risks to their connected vehicles, but for SDVs this can pose an even greater threat with more systems in the vehicle being impacted.
When consumers are charged for a feature they previously had access to resistance is a likely outcome. From shared Netflix credentials to hacked Spotify accounts there are a variety of examples from across the subscription economy to show that companies should expect consumers to try and find a way to access features payment-free.
Any vehicle where these subscription-only feature models are relevant is susceptible to consumers installing rogue software in an attempt to bypass feature limitations. Hackers can create malicious software that looks legitimate and trick consumers into installing it on their vehicles, as they seek a way around the subscription payments.
As uncovered by Upstream’s AutoThreat® PRO team, in June 2022, a popular deep web automotive forum offered for sale the instructions for remote installation of a cracked diagnostic software for various OEMs.
This rogue software could allow the hacker to gain unauthorized access to the vehicle’s systems and data, potentially manipulating the vehicle’s performance or using the systems to launch attacks on other devices or networks. Hackers could exploit this access by using the vehicle’s systems to launch attacks on other devices or networks.
For example, they could use the vehicle’s data connection to launch a distributed denial of service (DDoS) attack or to transmit malicious payloads to other devices. They can also use this access to steal sensitive data from the vehicle or the consumer, such as login credentials, financial data, or other sensitive information stored on the vehicle or transmitted through its systems.
As connected and software-defined vehicles become more ubiquitous, the role of effective threat detection and response expands beyond cybersecurity into additional areas with fraud detection heralding the expansion. Since the Vehicle SOC fuses together disciplines from the IT and OT sides of the enterprise and is monitoring all aspects of the service, this enables vSOC teams to recognize fraud incidents.
The Upstream Platfrom’s effective vehicle response and detection ingests and normalizes multiple data feeds to build a unique digital twin profiling of the connected vehicle environment. The platform layers powerful AI-powered detection modeling along with security analysis and customized mobility incident alerts. The platform’s pre-built integrations with leading IT SIEM and workflow solutions enable a true end-to-end vSOC.
Upstream’s 2023 Global Automotive Cybersecurity Report
Cleared for takeoff? Upstream’s vSOC is the traffic control center for vehicles
Air traffic control centers play a critical role in ensuring the safety and efficiency of air traffic. The control centers help prevent aircraft collisions, maintain…Read more
Discovery: An Essential First Step in Securing APIs
API security is a crucial facet of cybersecurity in this era of rapid digitalization. While APIs serve as potent tools operating across every aspect of…Read more
Securing the Road Ahead: The Automotive Perspective of the New SEC Cybersecurity Rules
Cybersecurity has been recently positioned as a top priority by the SEC, requiring corporate America to disclose information on material cyber attacks. In addition to…Read more
Upstream Security joins AWS ISV Accelerate: What does it mean for Connected Mobility and SDV makers?
On May 24, 2023 Upstream was selected to join the AWS Independent Software Vendor (ISV) Accelerate Partner Program. This marks an important milestone in our…Read more