Haim Kanter, vice president, Upstream, North America, said the number of vehicles being attacked through APIs has increased by 20% in recent years.
If you still think of cybersecurity in terms of outages and ransomware attacks, you're in for a shock. Software-defined vehicles, insecure APIs and mobile services have opened new attack vectors for bad actors to exploit. And they are working very hard. Over the past few years, the number of vehicles attacked through APIs has increased by 20%. A single accident can affect thousands of vehicles.
This threat is real and can have a significant impact on ships, with not only economic impact but also safety implications.
HDT Equipment editor Jim Park spoke with Haim Kantor, vice president of North American operations at Upstream Security, about these new threat vectors and the dangers they pose if they are allowed to proliferate.
This Q&A features highlights from recent episodes of HDT Talks Trucking.
This interview has been edited for brevity and clarity.
HDT: Can you tell us where we are today with automotive cybersecurity?
Cantor: We have reached a tipping point. The number of cybersecurity incidents has increased by 400% over the past 5-7 years. However, we are moving from simply talking about the number of incidents to considering the impact of the incidents.
In other words, how many vehicles can be affected by a single security incident, and what are the operational and financial implications? The nature of the hack, the attack vector, and whether it was intended. Depending on the outcome, hacking one vehicle can affect the entire vehicle. So now we're moving from one vehicle to perhaps dozens, hundreds, or even thousands of vehicles.
The motives for these attacks vary, but are usually financial. However, since the Russia-Ukraine war, there is also a geopolitical element. However, what we are newly seeing is people hacking the cybersecurity of their cars to avoid paying for premium services.
HDT: Does this mean that the vehicle, or some technology on board, is facilitating the attack and giving hackers a way into the vehicle?
Cantor: yes. One of the reasons why attacks on vehicles are on the rise is because there are new vectors to attack them. Previously, this required a deep understanding of how the vehicle worked. Attacking internal elements of the ECU or TCU requires a lot of knowledge about the car. However, today's trend is to attack vehicles through APIs (Application Programming Interfaces).
Currently, approximately 20% of attacks are based on APIs or mobile services running fleets. You don't need to know anything about cars. Instead, vulnerabilities were found within the API. In the OWASP world (Open Web Application Security Project), nearly all of the top 10 attacks apply to the vehicular world. For example, the Orbcomm attack. This ransomware attack was carried out purely through an API attack.
HDT: So in that case, the attackers targeted Orbcomm, but the impact was felt by fleets using Orbcomm products. An interesting question arises here. How can fleets ensure that their suppliers are taking appropriate precautions upstream?
Cantor: This requires a lot of education. Fleet owners and managers should ask questions to ensure their fleet is safe. They should say that one of the requirements is to ensure that the supplier has that security.
HDT: Here's the scenario. Please let me know if this is possible. Brakes on some trucks can now be applied via electronics onboard the truck. If someone gets the right code, is there a chance they could start applying brakes to individual trucks or entire vehicles?
Cantor: Yes, I can. Let's take an example. It's not a truck, but it's farming. During the early stages of the Russo-Ukrainian war, John Deere was able to hijack their vehicles and remotely disable their equipment using kill switches. The same thing can happen with an attack that pushes the truck's “kill switch.”
HDT: Can you give us some other real-world examples of this type of attack?
Cantor: Let's start with the attacks seen in early 2022. David Colombo [a self-described tech security specialist] We had access to 25 Tesla cars from around the world. This equates to his 25 cars in 25 countries. He was able to connect to the car through an application not provided by Tesla, but Tesla approved the application.
Through the app, he was able to honk the horn and raise and lower the windows. That sounds interesting, right? But consider a truck driver driving 110 miles per hour on Interstate 95. Windows begin to open and close, and horns start blaring. It could be really dangerous.
In September 2022, hacker and researcher Sam Curry decided he wanted to try his hand at hacking cars. He didn't know anything about cars, but by November he figured out how. He exploited vulnerabilities in SiriusXM's Connected Services and related telematics systems to gain entry. All he needed to know was his VIN number for the vehicle.
As you know, VIN numbers are easy to obtain. The API was not successfully authenticated and Callie was able to enter her 12 different OEM vehicles. So now he's gone from one vehicle to a whole fleet to multiple vehicles, that is, he's gone from one vehicle to millions of vehicles and even tens of millions of vehicles. Not only that, but he penetrated via telematics, so there's a deeper attack as well.
Later that year, a group called Anonymous attacked Yandex in Moscow. Yandex is like his Uber in Moscow. Hackers penetrated his back office systems through his API and routed all his Yandex vehicles to his one location in Moscow. They didn't touch the car. All they did was get the system API and basically weaponize the car. This caused massive traffic congestion, which had a direct impact on people's safety.
The first recorded vehicle hacking incident was in 2015. The hacker was inside the Jeep and it was a staged hack on his Cherokee. Fast forward to 2022. Hackers are taking control of multiple vehicles using vulnerabilities in apps licensed by OEMs. 900
HDT: What vectors are they using to provide that level of control to the vehicle itself?
Cantor: It starts from the attack vector and directly attacks the vehicle. So things like remote start, TCU/ECU, telematics, etc. all require a lot of knowledge about the vehicle. But now we have all these new vectors like APIs and mobile applications.
These account for approximately 20% of today's attacks. This was up from about 2% the previous year. That's one thing. Another vector we are currently seeing comes from EV attacks. It's about 4% now, which isn't a huge number, but given the growth of EVs and all the money being spent on EVs, you can see how many times that would be.
When it comes to EVs, the second thing is charging. All communication for billing is done through API. There are also new vectors of entry into vehicles from charging stations. If someone could get their hands on the entire charging network and send commands to supercharge cars, they could essentially disable all cars.
I can't tell you how many drivers are aware of the fact that when you connect your car to a charging station, not only are electrons flowing through that pipe, but so are all your personal data, billing data, and credits. card data. All of these can also be obtained from the vehicle.
HDT: Have you identified any trends in this whole thing?
Cantor: Several trends were observed. First, many new attack vectors now exist. It's smart mobility and APIs. And you can see that the scale of the attack is even larger, and it's an attack that spans the entire fleet.
And there's one other thing I didn't mention that's really interesting. The customer is currently attacking his vehicle. Today's OEMs are trying to increase revenue by selling premium services, right? Projections show that trillions of dollars will come from these services by 2030.
There was recently a famous case where an OEM said they would charge 12 or 18 euros per month for heated seats. This was not very popular with customers. Therefore, customers think, “Let's hack the car and jailbreak it.''
HDT: This sounds pretty discouraging. Are any concrete efforts being taken to mitigate this threat?
Cantor: It's like going back to the days when Intel was in-house. You want to know that there's some form of cybersecurity protecting you internally, for example, upstream.
But regulation also plays a big role. Europe is more advanced, with WP.29 and UN Regulation R155, which requires vehicle surveillance. Although this regulation has not yet been applied in the United States, OEMs understand their responsibilities and are taking steps regardless of the regulation.
However, regulation is coming. The National Highway Traffic Safety Administration (NHTSA) promotes and encourages OEMs to join his AutoISAC (Automotive Information Sharing and Analysis Center). This agency shares information between car manufacturers and tier 1 suppliers.
Additionally, some of NHTSA's recommendations are very similar to those in European regulations. In the near future, perhaps by 2025 or 2026, we will see a situation like this here.
