View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 26, 2019updated 12 Jul 2022 5:51am

Connected Cars at Risk of Hijacking, Eavesdropping and DDoS Attacks: EU Cybersecurity Agency

More baked-in security required...

By CBR Staff Writer

Connected cars are at risk of hijacking, eavesdropping and even DDoS attacks, Europe’s cybersecurity agency ENISA warned today, in a new report that lays out a series of potential threats to semi-autonomous vehicles — and which is designed to serve as a reference point for robust vehicle cybersecurity across Europe.

“Smart cars’ increased connectivity and automation expose them to several crucial cyber threats. Those threats may directly target smart cars or their surroundings such as RSUs, traffic signs/lights or even remote servers of the OEM or third-party service providers”, the Greece-based agency warned, detailing various measures to bolster the cybersecurity of increasingly cloud and network-connected vehicles.

These range from regular penetration testing, through to the enforcement of session management policies to avoid session hijacking, and more specific measures like code obfuscation techniques to prevent reverse engineering of smart car mobile applications: guidance that comes as part of a detailed new asset taxonomy.

Vehicle Cybersecurity: Beware RSU-Based Attacks

The automotive industry is undergoing a “paradigm change” towards connected and autonomous vehicles, the agency notes, saying that so-called smart cars already provide connected, added-value features in order to enhance car users’ experience or improve car safety: “With this increased connectivity (that the emergence of 5G is expected to further promote) novel cybersecurity risks and threats arise and need to be managed”.

Among the risks it raises: Denial of Service attacks that may target (or originate from) RSUs [Ed: road-side units: computing devices located on the roadside that provide connectivity support to passing vehicles or IT systems]”, ENISA warns in the report.

” An attacker may for instance shut down the RSU (via physical access or remotely), overload the system with messages to process or even jam radio
communications, etc. In-vehicle components can also be the target of DoS attacks. For instance, overloading the CAN bus with malicious messages will alter the vehicle behaviour”, ENISA warns, in guidance that may sound familiar to security teams working across any industry, with its suggestions of regular Red Teaming, including a security role within the product engineering team and taking a “DevSecOps” approach.

Such warnings may appear speculative when easier attacks on vehicles are so much more widely available (ie. a dropped brick) , but which is designed to get policy makers and industry baking in best practice across nine specific fields, spanning:

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester
  • Detection
  • Protection of Networks and Protocols
  • Software Security
  • Cloud Security
  • Cryptography
  • Access Control
  • Self-Protection and Cyber Resilience
  • (Semi-) Autonomous Systems Self Protection and Cyber Resilience
  • Continuity of Operations

AI and ML systems could even be fed false data and be fooled into thinking a crash has occurred via the use of sounds; or a magnetic attack could target the odometric motion sensor data disorientating the system. While on the lower end of plausibility, someone could instigate a physical DoS attack jamming the car’s sensors by overloading it with too many objects to track or they could simply blind the camera.

Enisa notes that there has been experimental remote attacks: “on autonomous cars’ cameras and Light Detection and Ranging (LiDAR) systems showing effective camera blinding, making real objects appear further than their actual locations or even creating fake objects.” The full report can be found here.

See Also: Home European Security Agency Details 58 5G Security Threats

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.