A report covering connected car security from 2016-2017 has found the number of vulnerabilities has decreased in number and likelihood, but more work needs to be done baking in security during the design phase and applying industry best practices in the future.
IOActive’s research, which follows up on a similar report issued in 2016, included a look at threat modeling, attack vectors and attack methodologies to come up with a series of potential vulnerabilities and then the listing the likelihood they could be implemented by a malicious actor.
The good news from the report is the number of vulnerabilities found have decreased as has the impact they can have on a system. In 2018 10 percent were rated as potentially having a critical impact, down 15 points from the 2016 report, while the number of medium and low impact issues increased to 52 percent of the total. A greater focus on cybersecurity at the factory level is credited for this change.
“We’ve seen significant growth in the design of vehicle systems to incorporate security from the start. This includes making sure that the processes that handle data are running with limited privileges, which helps lower the impact of the most likely attacks,” the report said.
IOActive found a “notable” increase in the number of serial attacks compared to the previous report, although these types of attacks only comprised 14 percent of all attacks. Local and network attacks were the top two vectors with the former being used in 34 percent of the attacks and the latter 33 percent. Cellular and USB-based attacks were used in 8 percent of attacks, each, with three percent using CAN Bus.
The fact that the majority of the attacks were local can be viewed as a positive as a local attack requires physical access to the vehicle, which is difficult to obtain, although if successful does give the attacker a greater ability to elevate privileges or otherwise manipulate the system. The report also believes more network attacks were found because companies are now testing more vigorously for these due to their great ability to cause damage.
The types of vulnerabilities found covered a wide gamut with coding logic errors being most prevalent comprising 26 percent, up from the previous report, and IOActive believes these types will continue to increase “As security architecture and secure development practices improve, this area is expected to represent a larger portion of errors.”
Memory corruption, 16 percent, privilege, 14 percent, information disclosure, 12 percent, backdoor, 10 percent, web, 8 percent, hardcoded credentials, 7 percent and dependency at 7 percent were the remaining vulnerabilities.
The public report does not name specific remediation actions for each vulnerability, but IOActive did offer some broad stroke measures that can help. Simply following industry best practices would be effective in curing for 41 percent of the issues, secure coding practices would take care of another 29 percent, authentication design, 18 percent, deployment procedure, 7 percent and patch management, 5 percent.
“The largest category by far was industry best practices. These are issues that could be solved by following common guidance from groups such as the Auto-ISAC and OWASP. These tend to be issues like not authenticating data, not encrypting and authenticating network traffic, and not filtering user inputs,” the report said.