As cars continue to be digitized and connected, it is to be expected that vulnerabilities will arise and can be remedied. This is what the Federal Office for Information Security (BSI) assumes in its third “Automotive Industry Profile” on cyber security in the automotive industry. In addition to safety in the vehicle itself, the BSI also addresses aspects of production, supply chains and infrastructure such as charging stations.
The BSI describes that hardware and software installed in vehicles are becoming more extensive and complex. This means that customers can, for example, obtain paid software updates that activate additional functions, so payment functions are integrated into the vehicle. Additional apps could also come from third parties, which means that the software supply chains could be branched, which in turn makes the management of software vulnerabilities difficult.
The BSI also sees a problem in the fact that a lot of open source code is used in the transport sector, which is often not continuously maintained or further developed by the original developers. The number of “high-risk vulnerabilities” in this area has increased significantly in recent years. Even if not every vulnerability can be exploited by attackers due to the lack of an attack vector, the manufacturers are responsible for checking the software inventory, including open source components, for vulnerabilities.
Regular security updates like in classic IT
As in classic IT, regular security updates would become normal, says the BSI. The question remains open as to how long security patches will be offered after the vehicle has been purchased; there are currently no legal deadlines for this. The BSI points to the example of Volkswagen. The manufacturer announced this spring that it would voluntarily offer software support for over 15 years after production ended.
Such and other safety aspects that also affect the automotive industry are increasingly being regulated at EU level. The BSI lists the EU AI Act, the EU Data Act, the ENISA cloud service scheme and the charging station regulation, as well as the Cyber Resilience Act (CRA). The CRA, with which the EU Commission wants to ensure the cyber security of products, makes a complex regulatory structure clear. By definition, it also affects products that are used in the context of road traffic. However, some product categories for which other EU-wide regulations already apply are explicitly excluded, including vehicles that are subject to type approval law according to (EU) 2019/2144 and thus UN Regulation 155.
The BSI warned about cyber attacks on connected cars and production facilities two years ago in its first “industry situation report”. The manufacturers themselves and their suppliers were already affected by ransomware attacks back then. The BSI also points out these dangers in the current report, particularly Ransomware-as-a-Services (RaaS) LockBit 3.0, Alphv, Black Basta and Royal. Since the end of 2021, the Federal Office has been working on technology requirements in the area of automated driving in several projects, including the topic of artificial intelligence.
Another problem that continues unabated is vehicle theft, in which security gaps are exploited. The protection provided by rolling codes of radio keys could, for example, be circumvented using the RollJam attack. Two consecutive signals from the radio key are recorded, where at the same time the transmission to the vehicle is blocked by radio interference, so that these signals are later considered to have not been used yet. In the RollingPwn and RollBack attacks published in July and August 2022, the status counter in the vehicle can be reset in some implementations by replaying previously recorded key signals. In contrast to the RollJam attack, the vehicle can be opened as often as desired at any time.
To the home page
#BSI #alerts #automotive #industry #safety #problems