OEM Cyber Security Layout Report, 2020

Last week, Reportlinker.com announced the release of “OEM Cyber Security Layout Report, 2020”, written by “Research In China”. The report highlights that the most important attack vectors in automotive cybersecurity are mainly towards servers and digital keys. But also, mobile apps and attacks through the OBD port is mentioned as vulnerable to attacks.

According to the report, servers are exposed to attacks by hackers through the operating system, database, TSP server, server for Over-the-Air (OTA) updates, etc., where data manipulation, damage, and/or vehicle safety accidents are potential consequences. The rather high number of attacks on servers could be an effect of that most of the attacking tools are remotely accessible and quite low in costs. Also, the data stored on the servers are coveted and valuable to the different hackers.

Digital key encryption was in March 2020 by OEMs like Toyota, Hyundai and KIA, reported to have limitations due to the vulnerabilities of Texas Instruments’ DST80 encryption system. For example, a hacker could stand near a car that packs a DST80 remote control key and use inexpensive Proxmark RFID reader/transmitter and get the encrypted information of the key.
Further, report says future trends to address the challenges of automotive cybersecurity from the OEMs are:

1. Information management inside the company and optimization of R&D processes.
2. Build a team intended for cybersecurity.
3. Cybersecurity protection of telematics.

Pointed out by the report, European and American OEMs have diversified deployments of cybersecurity protection. And the automakers from Europe and America are going to advance their cybersecurity construction utterly with technical superiorities, and a tightened control on information security management inside the company apart from improvements in cybersecurity protection of telematics. As an example, Mercedes-Benz is mentioned with actions like:

Cloud computing: vehicle data protection enabled by a cloud platform through which the car owner takes control of data openness to the outside while driving. The relevant information will be eliminated automatically after the car owner leaves the car.
Factory: partnership with telecom carriers and equipment vendors to set up intelligent vehicle manufacturing factories where the production data will be safety-enabled via the 5G mobile network.
Vulnerability protection: joins forces with third-party cybersecurity providers to test and repair the potential vulnerabilities of intelligent connected vehicle.

Further, “Research In China” proclaims that: Japanese and Korean OEMs have more focus on cybersecurity protection and management inside the company. While the emerging forces of Chinese OEMs go ahead of the rest.
As another example, the report mentions Nissan Motor (Japan). Nissan proceeds with in-company management on information of security and improves the related regulations. Over the recent years, Nissan has been improving its R&D management system and cybersecurity platform. Accordingly, this has been done with its Tel Aviv-based joint innovation laboratory as well as with collaborations with Israeli start-ups within cybersecurity and testing. It is also mentioned that Nissan has more than ten cooperative joint prototype projects.

Chinese OEMs has an ever-broader cooperation in cybersecurity as OEMs are vigorously seeking for external collaborations on vehicle, communication, platform, data, and applications. And, according to the report Chines carmakers are: “commendable in cyber security protection”. For example:

XPENG Motors is building a security team on its own for deployments over cloud, vehicle, and mobile phones. Also, XPENG’s partnerships with Aliyun (i.e. Alibaba Cloud), Irdeto, and Keen Security Lab of Tencent for a proactive protection system, is mentioned.
NIO (Chinese carmaker) has built a X-Dragon multi-dimensional protection system through a self-owned security team and a multi-party cooperation.
Also, the “time-honoured” Chinese automakers, such as Dongfeng Motor, SAIC, GAC and BAIC has all followed suit, prioritizing cybersecurity related management during the whole life cycle of their vehicles.

The author is aware of the somewhat bias angle of the report as it fails to mention some relevant automakers, like Tesla, and appears overly complementary of Chinese carmakers. However, the report raises relevant cybersecurity concerns.

Written by Joakim Rosell