Hidden Cybersecurity Risks In Automotive Software

The more complex automotive systems and software become, the more effort their producers should put into protecting them. Some cybersecurity risks, like data breaches and system compromise, are always under the spotlight, whether in the form of concerns over driverless cars getting hijacked or a Tesla modem hack discovered during a Pwn2Own Automotive event.

Other cybersecurity risks aren’t as widely discussed, even though they can be devastating to both vehicle manufacturers and drivers if not mitigated in time. As my company has a long history of solving challenging cybersecurity puzzles, I want to share a few insights on what to pay extra attention to in order to secure a modern automotive system.

Automotive Cyber Threats No One Talks About

First, let’s outline some of the key cybersecurity risks and challenges that haven’t received much public attention but should still be addressed in order to build secure and reliable software for smart vehicles.

Software Supply Chain

Automotive software vendors often use complex ecosystems of third-party solutions, introducing the risk of supply chain vulnerabilities. Just one compromised component can result in a significant security breach across the entire vehicle system.

While open-source software is often considered to be a safe choice due to the transparency it offers, the more third-party components are integrated into your product, the harder it is to identify hidden vulnerabilities and maintain vehicle safety.

Legacy Systems

As vehicles have long lifespans, it’s important to keep the software running them secure and functional for many years. Otherwise, outdated and unpatched legacy systems can create significant cybersecurity risks. However, supporting older versions of your software or hardware further complicates security efforts, as legacy systems often lack the defenses needed to withstand modern cyberattacks.

Firmware Vulnerabilities

Smart cars run on numerous microcontrollers and embedded systems that are responsible for critical functions like braking and steering as well as for infotainment capabilities. Firmware components have strictly limited memory and processing resources, making it challenging to properly secure them from the start. Introducing additional cybersecurity measures later on is also not easy. Being deeply integrated into a vehicle's systems, firmware has a great impact on the vehicle's overall behavior and reliability. That’s why firmware updates are often introduced only once in a system’s lifetime—or never at all.

Over-The-Air (OTA) Updates

OTA updates provide vehicle manufacturers with a convenient way to remotely deploy software updates and new features. However, these updates can also become an additional source of cybersecurity risks. If not properly secured, OTA updates may be intercepted and altered by malefactors, risking the reliability of the entire system. Given the growing reliance on OTA updates, securing these transmissions is essential for maintaining the integrity of vehicle software.

Infrastructure Vulnerabilities

Vehicle-to-everything (V2X) communication is essential for improving traffic flows and preventing road incidents. However, integrating smart cars with electronic vehicle charging stations, smart city systems and other external infrastructure dramatically expands the attack surface. Hackers can target weak points in these external systems to disrupt not only individual vehicles but entire networks. Vulnerabilities in charging infrastructure, for example, could leave electric vehicles exposed to large-scale attacks.

Although all these risks may not be as obvious as the need to secure network communications and customer data privacy, they are just as critical. Now, I'd like to share what my cybersecurity team and I suggest doing to mitigate these hidden threats.

Countermeasures For Enhanced Automotive Security

Integrating proactive, layered security strategies will help OEMs and automotive software vendors enhance the security of modern vehicle systems. These strategies should include the following measures:

Leverage a software bill of materials (SBOM).

An SBOM is basically a detailed inventory that helps your team track and manage all third-party components used in your product. An SBOM enables much-needed visibility across your entire supply chain, making security audits easier and more effective. Maintaining transparency and security in the supply chain is essential as more and more open-source components are integrated into automotive software.

Secure your legacy systems.

To ensure proper maintenance and enhance the security of legacy systems, it’s important to seamlessly apply necessary updates and patches. For example, you can use virtual patching and block known vulnerabilities at the network level until permanent updates are in place.

Protect firmware and OTA updates.

Enhance the protection of your OTA updates with end-to-end encryption. Use cryptographic hashing and digital signatures to verify the integrity of updated files and prevent their tampering. Additionally, it’s best to adopt fail-safe update mechanisms, including various rollback options so that vehicles can seamlessly revert to a secure state if the latest update fails or is compromised.

Encrypt V2X communication.

It’s also critical to secure V2X data transmission with low-latency encryption. This way, you can protect V2X data transmission and maintain real-time responsiveness, which is a critical factor in safety-related applications. To further enhance the protection of critical data exchanged between smart cars and external infrastructure, make sure to deploy robust authentication protocols to prevent unauthorized system access.

Closing Thoughts

Building automotive software systems that are secure by design requires thorough research and strategic planning that accounts for a wide array of possible threats. High complexity and a strong interconnection between different components of such systems further complicate the task of securing data, connections and processes.

When in-house expertise isn’t enough to tackle these tasks, it may be wise to delegate them to outsourced development teams with relevant skills and knowledge. In this way, automotive software vendors and OEMs can further enhance the safety and reliability of software systems that enable the operation of connected vehicles.

The article was originally published at www.forbes.com.

At Apriorit, we specialize in delivering high-performance software solutions for niche industries. From cybersecurity to AI-powered systems and legacy system modernization, our expert team will help you create secure, scalable, and innovative automotive software tailored to your unique needs.

Contact us via [email protected] to start discussing your next project! Also, check out our blog to learn more.