Trend Micro has a long and successful track record of predicting where the next threats to our digital connected world will be targeted. In fact, its expertise in doing so has led to the creation of several standalone subsidiaries in recent years, such as VicOne, which is dedicated to connected vehicle cybersecurity.
Because we’re ahead of the game, many industry organisations haven’t given this topic serious thought. But rest assured, the bad guys are. We expect connected car cyber risk to evolve considerably in the coming 3-5 years.
Why connected cars?
Automobiles are increasingly more akin to powerful computers on wheels than they are traditional vehicles. They’re estimated to contain over 100 million lines of code. Compare that to an average passenger plane, which has just 15 million. Yet just as this smart functionality can enhance the driving experience and even improve car safety, it also opens the door to hackers.
So where are these cyber threats most pronounced? We believe a key area of risk for manufacturers and drivers is the vehicle user account. By hijacking or stealing such an account via phishing for credentials or installing malware, a cyber-criminal could locate the car, break into it and potentially sell it on for parts or follow-on crimes. They might even be able to locate the owner’s home address and target it for burglary when they’re not in. It’s a crossover between cyber and physical crime which we’ve seen before with ATM break-ins.
To recap, access to a vehicle user account could enable criminals to:
- Remotely unlock/start the car
- Open the car and loot it for valuables
- Commit one-off crimes such as ram-raiding or drug trafficking
- Drive the car away and sell it for parts
- Locate the car to pinpoint the owner’s home
- Locate the car to know when the owner is not home
Only a matter of time
Here at VicOne, we’re already thinking about the worst-case scenarios. The good news is that we’ve not thus far found any evidence of attacks like those listed on cybercrime forums. The current focus for cyber-criminals seems to be network access for theft of regular data, rather than car user accounts.
However, it won’t take them long to catch up and realise the importance of vehicle user accounts. One way to think about this is the triangle of criminality. For a crime to take place, there must exist three aspects: target, desire, and opportunity.
The target (connected cars) is not ubiquitous at present, but it soon will be.
The opportunity is clear: hijacking user accounts using tried-and-true techniques like phishing, info-stealers and keyloggers.
As for desire, criminals haven’t yet found a way to monetise user accounts, but that light bulb moment is not far away.
The biggest cyber risk today lies within car data, not the vehicles themselves. However, we expect that to change within five years as criminals better understand the connected vehicle ecosystem. The industry should start planning accordingly.
To learn more, please visit: https://vicone.com/blog/what-lies-in-store-for-connected-cars-in-the-cybercriminal-underground