Automotive threat surface merges physical and digital threats, expert tells IT Brew

When it comes to automotive cybersecurity threats, the dangers are, as Pantera once declared, far beyond driven.

Whether it’s EV chargers, wi-fi hacks, or key fob spoofing, your vehicle faces more threats than ever. That’s according to ForAllSecure CEO David Brumley, who told IT Brew at this year’s RSA Conference that automotive infotainment systems remain the best way for hackers to infiltrate vehicles.

“What continues to surprise me is how little thought is put into these systems,” Brumley, also a professor at Carnegie Mellon, said. “We were just looking at a major tier-one car manufacturer, and they’re running software that hadn’t been updated in five or six years.”

Software like that has often been discontinued, Brumley added, meaning it may not even be possible to update it. And how old your car is plays a part, Brumley said—vehicles from the late 2010s, for example, are “tricky” because while your car is “fully connected,” in practice that means that it’s more vulnerable to threats. Earlier models don’t have that problem, primarily because they’re not as advanced and therefore not as connected to the internet and its malicious actors.

Target rich environment. As IT Brew has reported, vehicle software integration has made the automotive industry a prime target for attackers. Threats can range from amplifiers, which thieves use with a microphone and relay to boost your key fob’s signal and gain access to your car, to removing a headlight, accessing the vehicle’s Controller Area Network, and driving off in your car.

Potential attacks on EV charging stations merge the physical and digital attack surfaces, Brumley said. Likening the attack to an ATM card “skimmer,” Brumley described how such a hack might work, taking advantage of poorly designed and secured charging stations.

“What a great place to put malware, a place people are gonna literally drive up and plug themselves in,” Brumley said.