Connected car security is improving, researchers say

The automotive industry has apparently stepped up their game when it comes to improving connected car security.

According to the latest IOActive report, which was compiled from the results of the company’s extensive research in the field in 2016 and 2017, there has been a significant improvement in front-end cybersecurity, i.e. vehicles’ hardware systems.

Connected car security

Risk ratings have gone down

Since their previous report on the state of vehicle security (released two years ago), the industry has has been tackling the hardening of local interfaces and their efforts have lead to a decrease of vulnerability impact and likelihood, researchers Josh Hammond and Jerel Culliss have noted.

The number of critical-impact vulnerabilities – those that can lead to partial or complete compromise of a component or potential safety concerns, the disabling of a functionality, or disclosure of sensitive personal information – has decreased by 15 percentage points, while the distribution of medium- and low-impact vulnerabilities has increased.

“We’ve seen significant growth in the design of vehicle systems to incorporate security from the start. This includes making sure that the processes that handle data are running with limited privileges, which helps lower the impact of the most likely attacks,” they pointed out.

Also, most vulnerabilities unearthed by IOActive researchers could either only be exploited by advanced attackers or may require another compromise to be exploitable and, as such, they fell into medium- and low-likelihood categories.

Attack vectors and vulnerability trends

The most common attack vectors for the vulnerabilities the researcher discovered in 2016 and 2017 are local and network.

Connected car security

The local attack vector requires an attacker to have a foothold on the system and be able to obtain privilege escalation. The network attack vector includes network traffic (e.g., Ethernet, web) but also cellular network and CAN bus traffic (even if those have bee given their own category in the above graph).

There was also a marked increase in the “serial” attack vector.

“These attacks require physical access to the device and can include reading and modifying firmware, reading data between components, and taking advantage of debugging and test features left in the hardware,” they explained.

“The large increase in local and serial attacks can be attributed to a shift in testing approaches. As security has become a more prevalent concern, more companies are providing documentation and debugging access to help identify vulnerabilities inside their systems. The automotive industry is also taking more of an interest in lower-level security features, like secure boot, which is reflected in the areas we end up testing.”

The most prevalent vulnerability type in their data set was coding logic errors (26%), followed by memory corruption flaws (16%), incorrect utilization of the principle of least privilege (14%), and information disclosure bugs (12%). And the researchers expect the percentage of coding logic errors to increase over time, as security architecture and secure development practices improve.

Prevention

Most of the found vulnerabilities can be prevented by manufacturers following industry best practices (as detailed by groups such as Auto-ISAC and OWASP), to prevent issues like unencrypted and unauthenticated network traffic, unfiltered user inputs, etc.

“The next largest category is secure coding practices, such as using insecure functions and not checking return values. These can mostly be fixed with strong implementation guidelines and enforcing banned functions,” they noted.

“Authentication design may be the most difficult category to fix. These are issues that come from the design of the system, where strong controls are lacking in the system architecture. Fixing these may involve significant changes in how services communicate and how the system is accessed.”

It’s also good to note that their report was based on research they performed just on cars’ hardware systems, and not associated mobile apps, web interfaces and manufacturers’ backend systems, which are likely to be targeted by attackers searching for all kinds of information about the car owners (contacts, location, payment information, etc.).

They also believe that the industry should focus on making over-the-air updates secure, as they are largely delivered by third parties. Singed firmware updates are a good solution for that.