Smart vehicles are less vulnerable than they were a few years ago, thanks to improvements in security according to a new report from the security firm IOActive.
IOActive conducted vulnerability assessments of real-world vehicle systems for its “Commonalities in Vehicle Vulnerabilities 2018 Remix” paper, and found that both the likelihood and potential impact of attacks have decreased since the firm did similar research in 2015.
“Compared to the previous report, risk ratings are tending to decrease,” researchers wrote in the report (PDF). “This is especially notable in the critical-risk category with a 16 percentage point decrease. This is indicative of the overall security improvements we’ve seen in the automotive industry.”
[You might also like: Report: Organizations say IoT devices pose ‘catastrophic risk’, then shrug]
However, connected cars aren’t completely without security risks, researchers found. While many of medium-risk vulnerabilities have been replaced by low-risk flaws, others that were deemed high-risk in previous research are now critical vulnerabilities. And even low- or medium-risk vulnerabilities–when linked together, could become more dangerous, according to the report.
“Individually, these vulnerabilities may not be severe but they may still be harmful when exploited together or could end up being harmful if another, presently unknown, vulnerability is discovered,” according to the report.
Moreover, while security architectures for connected vehicles have definitely improved, remote services that can be leveraged by bad actors to attack systems have expanded in number and scope, widening the playing field for would-be attackers, the paper found.
The white paper released Wednesday is a follow up to one IOActive published in 2016 that examined data collected in years prior. The current report examines data from 2016 and 2017 and outlines how things have changed since the firm’s previous investigation of vehicle vulnerabilities.
Modern connected car have a wide variety of interfaces that allow for user interaction, which represent potential attack surfaces for hackers. These commonly include Bluetooth, cellular, WiFi and USB, as well as interfaces that vary based on manufacturer.
IOActive focused on what researchers call “practical threats”–that is, exposed interfaces that allow attackers to access the connected system. Researchers rated vulnerabilities on a risk scale of one to five, with five deemed a “critical” risk and one deemed merely “informational.” In between, vulnerabilities were rated “high” (four), medium (three) and low (two).
They also rated each number-rated risk in terms of two categories–impact if exploited and likelihood of exploitation. Critical vulnerabilities, for example, would allow for a system to be completely compromised and pose potential safety concerns if exploited, and are easily exploited because there already is public information about them or they are easily discoverable, and they can be accessed remotely.
Threats show notable decline
IOActive researchers rated the majority–32 percent–of vulnerabilities they examined in more than 6,000 hours of research as medium risk, with 10 percent at the highest end of the scale rated as critical vulnerabilities. Twenty-three percent of vulnerabilities were rated high; 20 percent as low; and 15 percent as informational.
These findings represent a “significant drop in the proportion of critical-impact vulnerabilities from our previous report,” researchers wrote–a decrease of 15 percent points. Meanwhile, the distribution of medium- and low-impact vulnerabilities has increased.
“This is likely the result of better security awareness and user separation,” researchers wrote. “We’ve seen significant growth in the design of vehicle systems to incorporate security from the start. This includes making sure that the processes that handle data are running with limited privileges, which helps lower the impact of the most likely attacks.”
In terms of likelihood of attack, most of the vulnerabilities identified fell into the low or medium categories, researchers found. “This means that most vulnerabilities could either only be exploited by advanced attackers or may require another compromise to be exploitable,” they wrote.
Specifically in this category, 32 percent of vulnerabilities were rated medium risk; 25 percent as low; 17 percent as high; 15 percent as informational; and 11 percent as high.
Overall risk also showed a positive trend for connected-vehicle owners concerned about attacks. Most vulnerabilities were rated medium and low–41 percent and 31 percent, respectively. Twenty-two percent of vulnerabilities were rated high risk overall, while only 6 percent were rated critical.
Researchers concluded that whatever manufacturers are doing to keep connected vehicles secure, it seems to be working. Their advice? Keep up the good work.
“Based on our findings, the best path forward is to continue diligently applying industry best practices for secure design and enforcing strong secure coding practices to help prevent easy-to-fix bugs in the first place,” researchers wrote.