Unknown Individuals Reveal Potential Cybersecurity Risks in Early-Stage Battery Electric Vehicle (BEV) Development
In a groundbreaking real-world vehicle penetration testing project, researchers at PlaxidityX have demonstrated the critical need for comprehensive cybersecurity measures in software-defined vehicles (SDVs). The study, titled "Securing the Future," focused on a battery-electric vehicle (BEV) just before the start of production.
The team's actions gave them full remote access to safety-critical functions while the vehicle was in motion, leading to a complete disruption of its operation with serious safety implications. This hack exposed a lack of robust cybersecurity measures in some automakers' SDVs.
The researchers replaced proprietary binaries with malicious versions to gain access to the Controller Area Network (CAN) bus and control vehicle functions. By reverse engineering internal binaries, they also extracted hardcoded credentials for a secured Message Queuing Telemetry Transport (MQTT) server, allowing them to perform all actions normally available to the user through the official app.
The hackers were able to authenticate and perform lateral movement within the internal network, eventually reaching the vehicle's central gateway. The approach of focusing on passing regulatory checks through isolated component-level Electronic Control Unit (ECU) testing overlooks important system-level interactions.
The project was part of the regulatory process under ISO-21434. However, Omer Ziv, one of the white paper's authors, emphasized the need for automakers to go beyond compliance. He suggested that penetration testing is necessary to make things secure and is not just for compliance reasons.
Ziv also highlighted that vehicles are moving from non-cyber-relevant to cyber-relevant, and current regulations are unable to ensure a more secure car. He emphasized the need for automakers to focus on secure boot, proper credential management, and robust in-vehicle network protections.
To secure SDVs, automakers must integrate evolving threat modeling, strict regulatory compliance, secure over-the-air (OTA) updates, AI and data protection, supply chain transparency, zero-trust architectures, and advanced edge AI cybersecurity solutions. These measures collectively address the complexity and evolving nature of cybersecurity threats to SDVs.
Key measures include:
- Developing dynamic cyber threat models that identify potential attack vectors and vulnerabilities specific to SDVs.
- Adopting and complying with industry cybersecurity standards such as ISO/SAE 21434 and UNECE WP.29 (R155/R156).
- Implementing secure software update mechanisms for OTA updates.
- Securing AI and data handling by limiting AI access to only essential data, encrypting sensitive datasets, enforcing access control, and real-time monitoring.
- Validating suppliers and third-party components using Software Bills of Materials (SBOMs) and vulnerability assessments.
- Adopting zero-trust security models and security-by-design principles.
- Leveraging AI and edge computing for threat detection.
These measures ensure continuous protection throughout the vehicle’s long operational life. The hacking incident serves as a stark reminder of the potential safety risks posed by vehicle manipulation or remote control attacks. Recent reports indicate a significant increase (600%) in automotive cyberattacks, underscoring the urgent need for improved cybersecurity measures in the automotive industry.
Recovery from the hack required a full battery reset. The researchers' attack highlighted security problems through insecure Wi-Fi networks, hardcoded credentials, insecure MQTT, and weak UDS Security Access implementation. The incident underscores the need for automakers to prioritize cybersecurity in their development processes to protect against potential threats and ensure the safety of their customers.
The groundbreaking study on battery-electric vehicles (BEVs) by PlaxidityX team has shown that technology in the automotive industry, particularly cybersecurity measures in software-defined vehicles (SDVs), is critical to prevent serious safety issues due to hacking. This incident emphasizes the need for automakers to prioritize cybersecurity, going beyond compliance, and implementing measures such as secure boot, proper credential management, robust in-vehicle network protections, AI and data protection, supply chain transparency, zero-trust architectures, and advanced edge AI cybersecurity solutions.
Moreover, the researchers' attack demonstrated the escalating cyber threats in the automotive industry, with a significant increase (600%) in automotive cyberattacks being reported recently. These threats underscore the urgency for the automotive industry to integrating evolving threat modeling, strict regulatory compliance, secure over-the-air (OTA) updates, AI and data protection, supply chain transparency, zero-trust architectures, and advanced edge AI cybersecurity solutions to ensure continuous protection throughout the vehicle’s long operational life.
%20Development){kind=link}