The year 2021 brought an increasing number of cyberattacks on cars, as hackers tap into advanced technologies, according to Upstream’s fourth annual Automotive Cybersecurity Report.

Upstream, a cybersecurity and data management platform for connected vehicles, based in Herzliya and Michigan, analyzed more than 900 publicly reported cyberattacks on cars in the last decade.

The highlights:

  • The frequency of cyberattacks on cars increased 225 percent from 2018 to 2021.
  • Nearly 85% of attacks in 2021 were carried out remotely, outnumbering physical attacks four to one.
  • 40% of attacks targeted back-end servers.
  • 2021 saw 54.1% of attacks carried out by “Black Hat” (malicious) actors, up from 49.3% in 2020.
  • The top attack categories were data/privacy breach (38%), car theft/break-ins (27%), and control systems (20%).
  • Keyless entry and key fob attacks account for 50% of all vehicle thefts. Thieves only need to be close to the key fob for a Black Hat hacker to pick up and reproduce its signal.

All told, Upstream estimates that the automotive industry is projected to lose $505 billion by 2024 to cyberattacks.

Upstream cofounder and CEO Yoav Levy, left, and cofounder and CTO Yonatan Appel. Photo by David Grub

“The rise in sophistication amongst vehicle hackers will continue to evolve as the industry continues to adopt advanced connectivity,” Upstream cofounder and CEO Yoav Levy tells ISRAEL21c.

That means the car has a connection to the Internet, whether to stream music, access Waze or Google Maps or remember your morning Starbucks’ preferences.

“V2X, the ability for a vehicle to not only detect but engage with the infrastructure, vehicles, and other assets around it, will create new vectors that will all be all too tempting for Black Hat actors,” Levy says.

In 2018, there were 330 million connected cars, Upstream reports. That’s due to jump to 775 million by 2023. A connected car produces some 25 GB of data an hour by 2025. For a fully autonomous vehicle, that number jumps to 500 GB an hour.

How hackers access vehicles

Hackers use eight key tricks to gain access to vehicles, Upstream reported.

  1. Spoofing messages or data (that’s where the message appears to be from someone you know but is really from a hacker).
  2. Manipulating the vehicle’s internal code and data.
  3. Sending harmful messages through the car’s communication and entertainment system.
  4. Taking advantage of vulnerabilities in sensitive information access in some vehicles.
  5. Denial-of-service (DoS) attacks that cause the car to malfunction.
  6. Coopting privileged access.
  7. Embedding viruses in communication media.
  8. Sending messages containing malicious content, which can be received by a car as well as a phone or home computer.

While a hack that disables, say, a car’s brakes while it’s in operation is potentially life-threatening, simple theft is a more immediate and pressing problem.

In September 2021, for example, thieves used sophisticated hacking hardware to steal 25 European-made luxury cars in London.

In Oakville, Canada, 124 vehicle thefts were reported in the first half of 2021 – this in a city with just 211,000 residents. Sixty-six percent of these thefts were via keyless entry tech, and some took place in broad daylight.

It’s not just cars. Two major Israeli public transportation companies were hit by ransomware attacks recently and had their data leaked to the Darknet. In addition to the stolen data, the attack brought the companies’ websites down.

How hackers target vehicles

During the Covid-19 pandemic and its accompanying chip shortage and supply chain issues, Black Hat scammers have been flooding the market with counterfeit parts and components, which can be a hazard to driver and vehicle safety.

Among the most audacious attacks reported by Upstream: In April 2021, the doors of a North American EV manufacturer’s vehicle were hacked using a drone carrying a Wi-Fi dongle.

Even electric charge spots can be hacked, allowing Black Hat actors to remotely switch the chargers on and off, remove an owner’s access, and lock or unlock the charging cable. Bad actors can steal a vehicle owner’s identity through the charge spot, stop owners from charging their vehicles, and charge their own vehicles free of charge.

“Ultimately, most smart EV charging points [we] researched were vulnerable to attacks,” Upstream reported.

The problem won’t be going away anytime soon.

“Today, there are more lines of code in the connected car than other highly sophisticated machines, including the U.S. Air Force’s F-35 Joint Strike Fighter, the Boeing 787 Dreamliner, or a NASA space shuttle,” the report’s authors warn.

“With today’s revolution in automotive connectivity and the exponential growth in the number of connected vehicles on the road, it is imperative for the automotive industry to understand, predict, and combat rising cybersecurity threats,” said Levy.

You can download a copy of the full 900-page cybersecurity report from Upstream here.