Well, the number of ransomware attacks clearly increased in 2021 and it certainly seems like no sector is safe from it, not even the automotive sector. Sometimes multiple sectors get affected, as for example with the Colonial Pipeline attack against oil infrastructure in May last year in the USA.
Other things worth mentioning
According to the Financial Trend Analysis report by the U.S Treasury ransomware operators probably made more from ransom payments in 2021 than they did during the past decade. And the trend of increasing numbers of ransomware attacks is not expected to be flattened in 2022. In parallel, research has shown that businesses face the most losses through lost productivity and all related cleanup tasks after a ransomware attack (including incident response and legal support), not the actual ransom payments.
We have also seen how the “Right to Repair” concept has grown and left some trails in the automotive cybersecurity domain as it endorsed customers to modify (hack) their vehicles as warranty void clauses force them to provide authorized dealers and mechanics for diagnosing and fixing their problems outside the service intervals, most often since draconian locks has been put on the equipment and associated software. At least the American brand name John Deere experienced this in 2021. Not sure if “tractor hacking” in particular will continue to grow in 2022, but the Right to Repair concept and the cyberthreats that can come with it, will more probably do.
New attack vectors have been established as different researcher groups have spent some time manipulating the perception systems of different vehicles. For example, researchers identified a system-level flaw that could allow an attacker to modify an image stabilizer’s acoustic properties and there by affect the object detection algorithms. Link to paper.
In 2020 an article about remote phantom attacks was published, which is another example where vehicle’s perception systems are semi-physically manipulated. Here, by projectingvirtual objects in order to trick the decisions based on the object detection algorithms of the perception system. Hopefully, in 2022 we will read about more innovative means of tricking the perception systems of our future vehicles. “Hopefully” since such findings potentially favor the development of secure and safety reliant perception systems. Also “hopefully”, since most often it is fun reading too.
Various software bugs that could compromise different privacy concerns or endanger different safety aspects of our connected vehicles have also been frequently reported in 2021. The bugs reported have most often been found by white hat hackers and bug bounty hunters, emphasizing their findings by underlying the potential security measures that could be achieved if the bugs had been found by hackers with bad intentions. Non-white hat hackers are not as eager to expose their findings though, hence software bugs will also be disclosed in 2022 too. Bugs reported during 2021 worth mentioning are:
The BrakTooth vulnerabilities, Misconfiguration of the Pega Chat Access Group portal in Pega platform 7.4.0 – 8.5.x which could lead to unintended data exposure and did so for some servers of Ford, and more recently the log4j bug.
The BrakTooth vulnerabilities, Misconfiguration of the Pega Chat Access Group portal in Pega platform 7.4.0 – 8.5.x which could lead to unintended data exposure and did so for some servers of Ford, and more recently the log4j bug.
In 2021 coordinated framework, policies, technical references, and cybersecurity standards for the automotive industry were produced and established. All with the sole purpose of providing the automotive industry with guidance for building more secure and safe connected vehicles. For example:
- ISO/SAE 21434 “Road vehicles: Cybersecurity engineering”
- Automotive SPICE for Cybersecurity
- TR-68:3 “Autonomous vehicles: Cybersecurity principles and assessment framework”
- “OpenChain ISO 5230 – Security Assurance Reference Guide 1.0”, were all released in 2021.
- Work on new standards have also been conducted in 2021, such as:
- ISO 5112 “Road vehicles: Guidelines for auditing cybersecurity engineering”
- ISO/SAE 8475 “Road vehicles: Cybersecurity Assurance Levels (CAL) and Target Attack Feasibility (TAF)”
- ISO/SAE 8477 “Road vehicles: Cybersecurity verification and validation”, which all are commencing.
It will certainly help to look at the recent past to forecast the automotive cybersecurity trends in 2022, and hence be able to say the sacred words: I told you so. Which are the words that every living man constantly, throughout the history of mankind, especial men in their mid-50’s, are striving for to possess. A MAMIL (Middle-aged Man in Lycra) or any person who wants to get those words confirmed to be right in a retro perspective, should therefore be looking at 2021 for guidance. Nostradamus would probably have worked in a similar manner to foresee the not so bold predictions: continued adoption of developed and established standards among the automotive industry, as well as improved security awareness within the organizations with relevant security training for developers and employees, and an increased usage of automated cybersecurity testing tools. Also likely, there will be an increase in the number of ransomware attacks which might be of an even more nasty character, just as more security glitches in embedded software will continue to be found.
Do you know why they never caught the hacker?
He ran somewhere!
Written by Joakim Rosell