Author: Wang Hui
Have you ever wondered what kind of terrifying scenario this is?
One day, you get into a smart car, turn on the self-driving feature, and get ready to lay comfortably and listen to music. Suddenly, you realize that you have lost control of the vehicle and hear a strange voice through the speakers threatening to crash your car unless you transfer money to them.
Who is controlling your smart car?
This is not just an exaggerated story. The security threats of smart cars are not far from us.
On March 20th, during the China Development Forum, Elon Musk, CEO of Tesla, stated that the company will not provide the U.S. government with data collected by Tesla vehicles in China or other countries.
The incident began in early March when a group of hackers claimed they successfully breached Verkada, a Silicon Valley-based start-up focused on surveillance, and obtained real-time video recordings from 150,000 surveillance cameras. One of the videos was from inside Tesla’s Shanghai factory. The hackers claimed that they could retrieve images captured by 222 cameras from Tesla factories and warehouses.
On March 10th, Tesla responded to the fact that their Shanghai factory surveillance system was hacked, stating that the company had stopped the cameras from connecting to the internet and took further measures to improve overall security control at the supplier level.
Musk has repeatedly emphasized the non-necessity of the misuse of Tesla’s data, stating that if Tesla were to carry out espionage, it would have serious negative consequences. However, there is still a lot of controversy surrounding the information security threats of Tesla and smart cars within and outside the industry.
During the 2021 National People’s Congress and National Political Consultative Conference, Zhou Hongyi, founder, chairman, and CEO of 360, proposed that “by 2025, smart connected cars could account for 50% of annual car sales, and smart cars have shown various security issues, such as remote control, data theft, and information fraud. It is recommended that the country increase incentives and guide companies to incorporate the network security protection system of smart cars into the vehicle production, sales, and service system and gradually form mandatory requirements.”
Tesla is a representative of technological innovation in the field of smart cars, and it has been laying out its information security measures earlier compared to others. However, the risk of factory surveillance and vehicle control being hacked is still there. Looking forward, as the level of network connection increases, how to solve the information security issues of smart cars is worth considering.
Your car can be stolen in just 18 seconds
The Tesla factory surveillance theft and the information security issues of Tesla cars discovered by 360 technicians are not isolated cases among smart cars.In 2014 and 2016, engineers from 360 company cooperated with external technicians to discover multiple security vulnerabilities at international information security conferences, demonstrating how to “hack” a Tesla by interfering with sensors and communication modules.
In 2015, foreign hackers also invaded the Tesla Model S onboard system, causing the vehicle to suddenly shut down during operation. In 2017, security technicians from 360 company and Tencent separately demonstrated how to remotely enter the Tesla onboard and power grid systems without a key.
In 2020, there were multiple incidents of Tesla app crashes worldwide, causing phones to be unable to link to the vehicle and leaving owners in a “blind driving” state, with some even getting locked inside their cars.
Of course, the problem is not limited to Tesla only. Electronic information systems in many other car brands have also had issues.
Public reports show that in 2015, two white hat hackers remotely hacked a driving Cherokee, causing it to slow down, shut down its engine, and lose its brakes. This led to Chrysler recalling 1.4 million Cherokees.
In 2016, Nissan announced the closure of its Nissan Connected EV app, developed specifically for the Leaf series, after discovering that hackers could infiltrate the car system and control battery operations to drain the battery.
In October 2018, Mercedes-Benz was also exposed to two CVE vulnerabilities that attackers could exploit to disable the car system.
In 2019, the European ADAC automobile association conducted a security test on 237 models from 33 brands, revealing that 99% of the vehicles could be unlocked and driven away by hackers in just 18 seconds.
In 2020, China’s State Administration for Market Regulation and related agencies conducted an information security test on multiple intelligent connected vehicles, finding that up to 63% of the connected vehicles had some degree of security risks.
Similar security threats are becoming increasingly prominent with the development of technology and industry.
Firstly, the number of smart cars facing security threats has become even larger. Taking China’s data as an example, the country’s smart car industry is experiencing explosive growth, with smart cars expected to account for 50% of the total car sales in the year 2025.The intelligent automobile industry is gradually upgrading from a closed network to an open network. Security issues, such as remote control, data theft, and information fraud, which were previously only present in smart terminals like computers and phones, have spread to smart automobiles, seriously threatening personal and public safety.
According to Upstream Security, an automobile cyber-security company, the number of reported cyber-security attacks on smart automobiles dramatically increased from 80 in 2018 to 155 in 2019. In 2020, the total number of malicious attacks on intelligent automobile-related companies and platforms, including entire automobile companies and car networking information service providers, has already exceeded 2.8 million.
An information security industry expert who was interviewed by a reporter said that in the future, if hundreds of thousands of cars were disabled simultaneously due to the use of the same application or server or the exploitation of a vulnerability by hackers, the disaster would be no less than one “9/11” event.
The defense against these attacks is full of loopholes
The emergence and wide application of new technologies, such as artificial intelligence, big data, and the Internet of Things, have brought disruptive changes to the automobile industry. However, the pervasive network security risks and great uncertainty have pushed the industry to the brink.
Over the past two years, the forms of cyber-security attacks on automobiles have become increasingly diverse. In addition to traditional attacks, attackers have also utilized ultrasound-based “dolphin” attacks as well as AI-based attacks using photos and road markings. Moreover, attack routes have also become more complex over time.
The China Automotive Information Sharing and Analysis Center reports that automotive information security risks fall into ten main areas, including insecure cloud interfaces, unauthorized access, hidden system backdoors, insecure in-car communications, lack of vehicle network isolation, firmware extraction for reverse engineering, insecure third-party components, sensitive data leaks, insecure encryption, and insecure configurations.
Attackers can exploit the vulnerabilities of automobile electronic systems, such as Bluetooth, cloud connections, and network communications in various aspects of safety functions, software, information transmissions, and entertainment systems.
According to Gao Yongqiang, the director of standards at Huawei’s smart automobile solution department, “in terms of risk types, we believe that the seven main network security threats that smart automobiles currently face are vulnerabilities in smartphone applications and cloud servers, insecure external connections, vulnerabilities in remote communication interfaces, hackers attacking servers to access data, tampering with vehicle network instructions, and destruction of in-car component systems through firmware flashing, extraction, and virus implantation.”
The reason why automobiles have become another vulnerable target for network attacks after smartphones is that as the automobile industry moves towards “Industry 4.0,” numerous in-car terminal applications are added, leading to more information security access points and risks being exposed.
Taking car software as an example, a set of data shows us how alarming the risks of automotive network security are.
A report from the School of Software Engineering at Carnegie Mellon University shows that for code developed in the United States, there is an average of 0.75 defects per functional point, and there are about 6,000 defects or vulnerabilities per million lines of code. To achieve the “good” level, the number of defects or vulnerabilities in every million lines of code should be controlled within 600 to 1,000. If it reaches the “excellent” level, the number of defects or vulnerabilities in every million lines of code should be less than 600.
In other words, even if all the code reaches the “good” level, according to the current average of one hundred million lines of code in a smart car, there may still be 100,000 defects or vulnerabilities in each car. And what kind of risks these defects and vulnerabilities will cause, no one can predict.
In addition to the fact that the defenses are full of “holes,” it should also be noted that the protection foundation and defense strength in information security in the automotive industry are generally weak.
YU Xiaohui, the deputy director of the China Academy of Information and Communications Technology, publicly stated that in the automotive industry, there are three types of more prominent issues: first, due to cost and technical maturity factors, the current vehicle protection is still mainly based on software measures, and there is insufficient application of identity authentication, encryption isolation, and other measures. Second, the ability to assess risks to key components and vehicle system-level software and hardware is insufficient. Finally, there is a weak foundation in network security testing and evaluation. The testing and verification ability in vehicle components, whole vehicles, and other aspects is insufficient. The depth and level of vehicle penetration mainly rely on manual implementation, and the lack of quantifiable evaluation standards.
It is a threat, but also a market space of tens of billions of yuan.
Strengthening the security protection of smart cars is not only for security reasons, but the other side of the coin, new products, new formats, and new models are constantly emerging. The diversification of industries based on smart connected vehicles as carriers is also accompanied by the generation of large amounts of information assets.
For example, currently, with the large-scale implementation of L2 ADAS, major automakers have set their sights on the industrialization of L3 and L4 automatic driving.
In April 2020, Great Wall Motors established a digital center, and in July, launched the “Coffee Intelligence” brand for intelligent cabins, intelligent driving, and intelligent electronic architectures.
It is worth mentioning that Great Wall Motors is not the first domestic brand to “eat crab.”# China’s Auto Industry and the Challenges of Information Security
Already in 2016, SAIC and Alibaba released the “world’s first mass-produced Internet-connected car,” the Roewe RX5. In 2019, SAIC, along with Shanghai International Port Group and China Mobile, officially launched 5G and L4-level smart driving heavy truck demonstration operation. In July 2020, SAIC Group’s Software Center “Zero Bundle” was established, focusing on intelligent driving systems, software architecture, basic software platforms, and data factories.
New forces in car manufacturing have also emerged, such as XPeng Motors. Public data shows that its mass-produced model, the XPeng P7, is equipped with the new XPILOT 3.0 automatic driving assistance system, which can achieve functions such as NGP (high-speed automatic navigation assistance driving), ACC (adaptive cruise control), LCC (lane centering assistance system), and parking memory parking.
In addition, the mounting rate of intelligent functions such as voice interaction, remote control by mobile phone, and internal and external cameras in the current market is rapidly increasing.
From the overall perspective, the development of intelligent automobiles is still in its early stages. The issue of user privacy and information security has already aroused concern within the industry, and resolving these issues will likely be a long and difficult journey, even becoming a long-term challenge.
However, it is certain that in light of these new situations and challenges, automobile operating system platforms that integrate software with high security protection capabilities will have significant development potential in the future.
Currently, including in-car operating systems and security protection and other types of software, software accounts for around 10% of the cost of large passenger cars. By 2030, this number is expected to increase to 30%. This means that the automobile software market will have a market space of over trillions of RMB.
This trillion RMB space does not even include the revenue from gray and black market data privacy transactions. A report by McKinsey Consulting in 2020 showed that revenue from the sale of customer privacy information by the black industry will reach 200 billion USD.
At the national level, actions should be taken.
“Without network security, there is no talking about anything,” said Shen Changxiang, a member of the Chinese Academy of Engineering, in an interview. The automobile cyberspace is much more fragile than imagined, and traditional “block and kill” measures are already difficult to cope with network attacks. A computing architecture must be established to achieve proactive immunity, with the calculation results being fully measurable and controllable. It must be a proactive immunity mode where protection and computing coexist.
The Internet has given automobiles infinite possibilities and infinite imagination. The intelligent automobile is becoming the key node for data collection, transmission, and processing. However, if information security issues cannot be effectively resolved, the real intelligent automobile era may never arrive.
In response, industry experts have stated: “Intelligent automobiles have changed traditional automobile safety, gradually shifting from functional safety to information collection and use safety. In terms of information security management, the information security of intelligent automobiles should also be raised to the level of national information security.”
How should automakers respond to the challenges of automobile information security?From the journalist’s understanding of the situation, the domestic automotive information security market is currently in the stage of consultation and exploration, and the standard regulations have not yet been perfected, and the relevant theories have not formed a systematic mode to guide OEMs to carry out relevant information security work.
However, from public information, many information security companies and automakers have already begun relevant deployments. On the automaker side, XPeng Motors has a team of dozens of information security experts, many of whom are senior security experts from Microsoft, Alibaba, Tencent, Green Alliance, and NetEase. Traditional information security companies such as Qihoo 360, Bang Bang, and Cohen Labs have also shifted their focus to the field of automotive information security.
Regarding the privacy and security issues of user data, automakers are also doing some thinking. For example, Chen Hong, chairman of SAIC Group, said in an interview that automakers have an obligation to inform users of potential privacy risks, and should give users the freedom to choose when collecting, using, transferring, and deleting data. When analyzing and processing data, data and personal identity should be separated, and data anonymization should be performed.
The China Intelligent Vehicle Development Report, published by the Horizon Institute, believes that the regulatory authorities should strengthen strategic planning and propose a comprehensive plan and deployment for automotive information security at the national level, coordinate various demands, and make use of their own advantages, to form a fast, efficient, scientific, and reasonable security standard system.
On the one hand, it is necessary to protect automotive data security and strengthen data collection supervision during the use of intelligent vehicles. It is forbidden to collect data without the user’s knowledge or to excessively collect data, and vigorously develop protection technologies such as secure data collection, storage, authentication encryption, secure transmission, and desensitization.
On the other hand, it is also necessary to formulate standard specifications for the management of user data collection and geographical and environmental data in intelligent vehicles and strengthen data export supervision. The state should classify and manage vehicle information security-related data, uniformly monitor data with high confidentiality levels, implement dynamic security monitoring mechanisms, and timely discover and resolve issues.
This article is a translation by ChatGPT of a Chinese report from 42HOW. If you have any questions about it, please email bd@42how.com.