Auto cybersecurity firm expects consumers to emerge as hackers; increased attacks expected on fleets, EV charging infrastructure
Add vehicle owners to the growing list of potential cybersecurity threats against automakers in 2023.
Early adopters of new digitized offerings from automakers will find ways to bypass premium features by manipulating their vehicles’ systems fraudulently, according to executives from Israeli cybersecurity firm Upstream.
Speaking at a cybersecurity webinar Tuesday, the Upstream team said consumers may push back as automakers launch subscription-based services and features in new vehicles.
Automakers — from BMW and Tesla to Volkswagen, Toyota and General Motors — have offered monthly subscriptions for services like heated seats, global positioning systems, music streaming and remote keyless start functions with varying degrees of success.
Cybersecurity is a growing concern for the auto industry, and as vehicles become digital platforms, a group of so-called white hat hackers — researchers who uncover vulnerabilities and notify automakers and suppliers — are finding problems. Last year, security engineer Sam Curry hacked into Reviver, a digital license plate company that has fleets as customers. Curry gained full “super administrative access” to manage all of Reviver’s user accounts and vehicles. His team found ways to penetrate BMW, Rolls-Royce, Jaguar-Land Rover, Mercedes-Benz, Porsche, Ferrari and Ford’s customer and employee information.
Upstream expects that black hat hackers — those using vulnerabilities for nefarious reasons — will focus on automotive fleets this year. In 2022, black hat hackers focused most of their attention on breaching automakers’ telematics and application servers, representing 35 percent of auto cybersecurity breaches, according to Upstream.
In 2022, Upstream counted 268 publicly reported automotive cyber attacks, up from 245 incidents publicly reported in 2021.
The number of attacks is growing steadily. Upstream cited 230 incidents in 2020, 196 in 2019 and 79 in 2018.
From 2010 to 2022, the firm recorded 1,173 publicly reported auto-related cybersecurity attacks.