AUTOMOTIVE CYBER INCIDENTS IN H1 2019 SURPASS ALL OF 2018

MID-YEAR REPORT

copy 2019 Upstream Security Ltd All Rights Reserved

2Automotive cyber incidents in H1 2019 surpass all of 2018

TABLE OF CONTENTS

Introduction02

The number of automotive related incidents is growing rapidly

04

Growth in the number of black-hat (cyber criminals) attacks endangering human safety

06

Remote keyless entry systems account for 47 of incidents08

Server-related hacks account for 18 of all incidents and include multi-vehicle attacks and ransomware

10

Mobile attacks account for 8 of incidents12

OBD related incidents resulted in 65 of all attacks in 2019

14

Summary16

3Automotive cyber incidents in H1 2019 surpass all of 2018

As the number of connected vehicles on the road increases along with the use of smart mobility services we see a continued growth in the reported automotive cyber and fraud incidents Understanding potential vulnerabilities and how criminals take advantage of them is key to preventing attacks in the future At Upstream our research team is constantly analyzing incidents as they occur with the goal of delivering this critical information while ensuring that our technology stays one step ahead of hackers and fraudsters In April 2019 Upstream published findings for Q1 of this year which brought to surface the rapid increase in the number of incidents Now with H1 in the past Upstreamrsquos research team has produced an updated report based on reported incidents worldwide

Introduction

2Automotive cyber incidents in H1 2019 surpass all of 2018

TABLE OF CONTENTS

Introduction02

The number of automotive related incidents is growing rapidly

04

Growth in the number of black-hat (cyber criminals) attacks endangering human safety

06

Remote keyless entry systems account for 47 of incidents08

Server-related hacks account for 18 of all incidents and include multi-vehicle attacks and ransomware

10

Mobile attacks account for 8 of incidents12

OBD related incidents resulted in 65 of all attacks in 2019

14

Summary16

3Automotive cyber incidents in H1 2019 surpass all of 2018

As the number of connected vehicles on the road increases along with the use of smart mobility services we see a continued growth in the reported automotive cyber and fraud incidents Understanding potential vulnerabilities and how criminals take advantage of them is key to preventing attacks in the future At Upstream our research team is constantly analyzing incidents as they occur with the goal of delivering this critical information while ensuring that our technology stays one step ahead of hackers and fraudsters In April 2019 Upstream published findings for Q1 of this year which brought to surface the rapid increase in the number of incidents Now with H1 in the past Upstreamrsquos research team has produced an updated report based on reported incidents worldwide

Introduction

3Automotive cyber incidents in H1 2019 surpass all of 2018

As the number of connected vehicles on the road increases along with the use of smart mobility services we see a continued growth in the reported automotive cyber and fraud incidents Understanding potential vulnerabilities and how criminals take advantage of them is key to preventing attacks in the future At Upstream our research team is constantly analyzing incidents as they occur with the goal of delivering this critical information while ensuring that our technology stays one step ahead of hackers and fraudsters In April 2019 Upstream published findings for Q1 of this year which brought to surface the rapid increase in the number of incidents Now with H1 in the past Upstreamrsquos research team has produced an updated report based on reported incidents worldwide

Introduction

4Automotive cyber incidents in H1 2019 surpass all of 2018

THE NUMBER OF AUTOMOTIVE RELATED INCIDENTS IS GROWING RAPIDLY

5Automotive cyber incidents in H1 2019 surpass all of 2018

The number of incidents in H1 of 2019 (82) are more than double that of H1 (32) of the previous year In only six months this year there has been more incidents than all of 2018 (75) with the rest of the year still ahead At this frequency more incidents in H2 2019 can be expected likely doubling or tripling the total this year compared to 2018 According to a report published on Internet of Business major European economies may reach nearly 100 connected car penetration by 2020 The evident increase in incidents is directly interconnected with the growing demand and use of connected cars and smart mobility services It is therefore imperative to stay ahead of the potential risks to ensure the usersrsquo safety as well as protect companiesrsquo brand and assets

Total incidents H1 lsquo18 vs H1 lsquo19

5Automotive cyber incidents in H1 2019 surpass all of 2018

The number of incidents in H1 of 2019 (82) are more than double that of H1 (32) of the previous year In only six months this year there has been more incidents than all of 2018 (75) with the rest of the year still ahead At this frequency more incidents in H2 2019 can be expected likely doubling or tripling the total this year compared to 2018 According to a report published on Internet of Business major European economies may reach nearly 100 connected car penetration by 2020 The evident increase in incidents is directly interconnected with the growing demand and use of connected cars and smart mobility services It is therefore imperative to stay ahead of the potential risks to ensure the usersrsquo safety as well as protect companiesrsquo brand and assets

Total incidents H1 lsquo18 vs H1 lsquo19

6Automotive cyber incidents in H1 2019 surpass all of 2018

GROWTH IN THE NUMBER OF BLACK-HAT (CYBER CRIMINALS) ATTACKS ENDANGERING HUMAN SAFETY

7Automotive cyber incidents in H1 2019 surpass all of 2018

65 of all incidents in H1 2019 were black-hat attacks resulting in damaged property stolen assets damaged reputations and significant safety concerns to the public In 2018 black hat incidents accounted for 55 compared to 45 white hat Connected vehicles and smart mobility services provide perpetrators with new and more advanced ways to access sensitive data damage property steal vehicles and hold brands ransom

Black Hat vs White Hat

White Hat35

Black Hat65

8Automotive cyber incidents in H1 2019 surpass all of 2018

REMOTE KEYLESS ENTRY SYSTEMS ACCOUNT FOR 47 OF INCIDENTS

9Automotive cyber incidents in H1 2019 surpass all of 2018

This continues to be the trend as we saw in Q1 2019 The vulnerability of remote keyless entry systems is a favorite with hackers We are also seeing an increase in the amount of attacks targeting commercial vehicles in addition to privately owned cars In June we saw 14 cases in the UK where criminals used this vulnerability to target commercial vehicles and held them for ransom demanding thousands of pounds for their return Victims reported that they were threatened by the perpetrators if they went to the police These criminals used a ldquorelay attackrdquo hacking technique which involves intercepting amplifying and relaying communication between the wireless entry key fob (usually located inside the victimrsquos house) and the vehicle (parked outside) The attack allowed hackers to open the car and start

Top attack vectors H1 2019

the engine without a key fob In May 28 Mercedes Sprinter vans were stolen in the UK when criminals used a transmitter to amplify the signal emitted from the key Thankfully and quite rarely we also saw a few incidents where the police were able to apprehend the perpetrators In Malaysia police arrested 5 thieves after 11 vehicles were stolen and in the UK one of the first arrests were made in connection with keyless car theft

Our research shows that the main impact of these ldquokeyless incidentsrdquo is car theft which accounts for 40 of all incidents making it the most significant

7Automotive cyber incidents in H1 2019 surpass all of 2018

65 of all incidents in H1 2019 were black-hat attacks resulting in damaged property stolen assets damaged reputations and significant safety concerns to the public In 2018 black hat incidents accounted for 55 compared to 45 white hat Connected vehicles and smart mobility services provide perpetrators with new and more advanced ways to access sensitive data damage property steal vehicles and hold brands ransom

Black Hat vs White Hat

White Hat35

Black Hat65

8Automotive cyber incidents in H1 2019 surpass all of 2018

REMOTE KEYLESS ENTRY SYSTEMS ACCOUNT FOR 47 OF INCIDENTS

9Automotive cyber incidents in H1 2019 surpass all of 2018

This continues to be the trend as we saw in Q1 2019 The vulnerability of remote keyless entry systems is a favorite with hackers We are also seeing an increase in the amount of attacks targeting commercial vehicles in addition to privately owned cars In June we saw 14 cases in the UK where criminals used this vulnerability to target commercial vehicles and held them for ransom demanding thousands of pounds for their return Victims reported that they were threatened by the perpetrators if they went to the police These criminals used a ldquorelay attackrdquo hacking technique which involves intercepting amplifying and relaying communication between the wireless entry key fob (usually located inside the victimrsquos house) and the vehicle (parked outside) The attack allowed hackers to open the car and start

Top attack vectors H1 2019

the engine without a key fob In May 28 Mercedes Sprinter vans were stolen in the UK when criminals used a transmitter to amplify the signal emitted from the key Thankfully and quite rarely we also saw a few incidents where the police were able to apprehend the perpetrators In Malaysia police arrested 5 thieves after 11 vehicles were stolen and in the UK one of the first arrests were made in connection with keyless car theft

Our research shows that the main impact of these ldquokeyless incidentsrdquo is car theft which accounts for 40 of all incidents making it the most significant

8Automotive cyber incidents in H1 2019 surpass all of 2018

REMOTE KEYLESS ENTRY SYSTEMS ACCOUNT FOR 47 OF INCIDENTS

9Automotive cyber incidents in H1 2019 surpass all of 2018

This continues to be the trend as we saw in Q1 2019 The vulnerability of remote keyless entry systems is a favorite with hackers We are also seeing an increase in the amount of attacks targeting commercial vehicles in addition to privately owned cars In June we saw 14 cases in the UK where criminals used this vulnerability to target commercial vehicles and held them for ransom demanding thousands of pounds for their return Victims reported that they were threatened by the perpetrators if they went to the police These criminals used a ldquorelay attackrdquo hacking technique which involves intercepting amplifying and relaying communication between the wireless entry key fob (usually located inside the victimrsquos house) and the vehicle (parked outside) The attack allowed hackers to open the car and start

Top attack vectors H1 2019

the engine without a key fob In May 28 Mercedes Sprinter vans were stolen in the UK when criminals used a transmitter to amplify the signal emitted from the key Thankfully and quite rarely we also saw a few incidents where the police were able to apprehend the perpetrators In Malaysia police arrested 5 thieves after 11 vehicles were stolen and in the UK one of the first arrests were made in connection with keyless car theft

Our research shows that the main impact of these ldquokeyless incidentsrdquo is car theft which accounts for 40 of all incidents making it the most significant

9Automotive cyber incidents in H1 2019 surpass all of 2018

This continues to be the trend as we saw in Q1 2019 The vulnerability of remote keyless entry systems is a favorite with hackers We are also seeing an increase in the amount of attacks targeting commercial vehicles in addition to privately owned cars In June we saw 14 cases in the UK where criminals used this vulnerability to target commercial vehicles and held them for ransom demanding thousands of pounds for their return Victims reported that they were threatened by the perpetrators if they went to the police These criminals used a ldquorelay attackrdquo hacking technique which involves intercepting amplifying and relaying communication between the wireless entry key fob (usually located inside the victimrsquos house) and the vehicle (parked outside) The attack allowed hackers to open the car and start

Top attack vectors H1 2019

the engine without a key fob In May 28 Mercedes Sprinter vans were stolen in the UK when criminals used a transmitter to amplify the signal emitted from the key Thankfully and quite rarely we also saw a few incidents where the police were able to apprehend the perpetrators In Malaysia police arrested 5 thieves after 11 vehicles were stolen and in the UK one of the first arrests were made in connection with keyless car theft

Our research shows that the main impact of these ldquokeyless incidentsrdquo is car theft which accounts for 40 of all incidents making it the most significant

10Automotive cyber incidents in H1 2019 surpass all of 2018

SERVER-RELATED HACKS ACCOUNT FOR 18 OF ALL INCIDENTS AND INCLUDE MULTI-VEHICLE ATTACKS AND RANSOMWARE

11Automotive cyber incidents in H1 2019 surpass all of 2018

Server-related incidents involve attacks where hackers take control of backend servers (ie telematics servers) where they are then able to access sensitive data remotely track and control vehicles disrupt the companyrsquos services and more One incident that stood out took place in April when a hacker broke into thousands of GPS tracker app accounts gained access to the back-end service and was able to access data and even control tens of thousands of vehicles around the world Thankfully this was done by a white-hat hacker who wanted to highlight the vulnerabilities and force these companies would address them By accessing their servers he was able to see the location of thousands of vehicles access the sensitive and personal data of the apprsquos users and even send commands to open doors and shut down engines while the car was moving which could have put the passengers at risk Another incident was reported in March when vulnerabilities were exposed in two smart alarm systems that hackers were able to access via the telematics servers This allowed hackers to potentially take over accounts track vehicle locations and send remote commands to vehicles from unlocking doors to turning off engines

The most safety critical impact of server-based attacks is when backend telematics servers are attacked allowing hackers to remotely control the carrsquos systems This is also the most dangerous as it allows the perpetrator to lock and unlock doors and even shut down the engine while the vehicle is moving Controlling car systems accounts for 18 of the overall impact putting it in second place overall

Another impact we have found as a result of server-based attacks is access to sensitive data either personal or organizational This resulted in 11 of the overall impact of H1 incidents Ransomware amongst others became an apparent mechanism to target numerous companies

11Automotive cyber incidents in H1 2019 surpass all of 2018

Server-related incidents involve attacks where hackers take control of backend servers (ie telematics servers) where they are then able to access sensitive data remotely track and control vehicles disrupt the companyrsquos services and more One incident that stood out took place in April when a hacker broke into thousands of GPS tracker app accounts gained access to the back-end service and was able to access data and even control tens of thousands of vehicles around the world Thankfully this was done by a white-hat hacker who wanted to highlight the vulnerabilities and force these companies would address them By accessing their servers he was able to see the location of thousands of vehicles access the sensitive and personal data of the apprsquos users and even send commands to open doors and shut down engines while the car was moving which could have put the passengers at risk Another incident was reported in March when vulnerabilities were exposed in two smart alarm systems that hackers were able to access via the telematics servers This allowed hackers to potentially take over accounts track vehicle locations and send remote commands to vehicles from unlocking doors to turning off engines

The most safety critical impact of server-based attacks is when backend telematics servers are attacked allowing hackers to remotely control the carrsquos systems This is also the most dangerous as it allows the perpetrator to lock and unlock doors and even shut down the engine while the vehicle is moving Controlling car systems accounts for 18 of the overall impact putting it in second place overall

Another impact we have found as a result of server-based attacks is access to sensitive data either personal or organizational This resulted in 11 of the overall impact of H1 incidents Ransomware amongst others became an apparent mechanism to target numerous companies

12Automotive cyber incidents in H1 2019 surpass all of 2018

MOBILE ATTACKS ACCOUNT FOR 8 OF INCIDENTS

13Automotive cyber incidents in H1 2019 surpass all of 2018

Top impact H1 2019

Mobile apps are increasing in use owing to their high demand and convenience but they are also used as another entry point to access servers and vehicles In April an incident took place on a popular telematics system A vulnerability in the mobile apps was found which allowed hackers to remotely send commands and retrieve data granting them unauthorized physical access to the vehicle The maker of the popular vehicle telematics system has left hardcoded credentials inside its mobile apps leaving tens of thousands of cars vulnerable to hackers The implications here to physical safety are immense

Upstreamrsquos research indicates that the impact of mobile attacks varies Disruption of the businessrsquo services which accounts for 15 of the overall impact is prevalent This was apparent in the US when a group of black-hat attackers in Chicago used the Car2Go app to steal luxury vehicles As a result Car2Go halted their service over the entire Chicago area According to Car2Go this incident not only involved the mobile app but included fraudulent methods Fraud accounts for 8 of the overall impact in H1 of 2019

13Automotive cyber incidents in H1 2019 surpass all of 2018

Top impact H1 2019

Mobile apps are increasing in use owing to their high demand and convenience but they are also used as another entry point to access servers and vehicles In April an incident took place on a popular telematics system A vulnerability in the mobile apps was found which allowed hackers to remotely send commands and retrieve data granting them unauthorized physical access to the vehicle The maker of the popular vehicle telematics system has left hardcoded credentials inside its mobile apps leaving tens of thousands of cars vulnerable to hackers The implications here to physical safety are immense

Upstreamrsquos research indicates that the impact of mobile attacks varies Disruption of the businessrsquo services which accounts for 15 of the overall impact is prevalent This was apparent in the US when a group of black-hat attackers in Chicago used the Car2Go app to steal luxury vehicles As a result Car2Go halted their service over the entire Chicago area According to Car2Go this incident not only involved the mobile app but included fraudulent methods Fraud accounts for 8 of the overall impact in H1 of 2019

14Automotive cyber incidents in H1 2019 surpass all of 2018

OBD RELATED INCIDENTS RESULTED IN 65 OF ALL ATTACKS IN H1 2019

15Automotive cyber incidents in H1 2019 surpass all of 2018

In May an OBD related attack led a Tesla vehicle to shut down When hackers attached an ELM327 OBD-II Bluetooth module to the vehiclersquos diagnostic interface they could analyze traffic and readsend CAN messages By replicating existing messages of random length and content the hackers were able to generate an influx of error messages which led to a shutdown of the front and rear motors The impact in this case was two-fold ndash not only a disruption to the companyrsquos services but shutting down motors could be potentially life-threatening

15Automotive cyber incidents in H1 2019 surpass all of 2018

In May an OBD related attack led a Tesla vehicle to shut down When hackers attached an ELM327 OBD-II Bluetooth module to the vehiclersquos diagnostic interface they could analyze traffic and readsend CAN messages By replicating existing messages of random length and content the hackers were able to generate an influx of error messages which led to a shutdown of the front and rear motors The impact in this case was two-fold ndash not only a disruption to the companyrsquos services but shutting down motors could be potentially life-threatening

16Automotive cyber incidents in H1 2019 surpass all of 2018

Analyzing these incidents is critical to understanding automotive cyber threats and how to address them in this industry The increased use of connected vehicles and smart mobility services together with the rising number of incidents is undeniable and the severity of these attacks threatens companies as well as consumers The research team at Upstream will continue to monitor and analyze incidents as they occur enabling the ability to stay one step ahead of perpetrators as Upstreamrsquos platform evolves

Summary

Receive more information on reported automotive cyber incidents and subscribe to updates on new incidents on Upstreamrsquos research page

17

Upstream improves the safety and security of connected vehicles and services built for them It does this by monitoring business critical events and identifying cyber threats in real-time via a centralized cloud-based analysis of multiple automotive data feeds including telematics and mobile applications The solution is 100 agent-less and does not require any hardware or software inside the vehicles Upstreamrsquos solution is already used by millions of vehicles worldwide providing an effective and innovative method of detecting threat anomalies and mission critical events using a combination of machine learning cybersecurity engines and service policy enforcement The result enables Smart Mobility services to run safely and smoothly while providing the customer with real-time alerts tailored to their needs

Visit us at wwwupstreamautoContact helloupstreamautoFind us

About Upstream Security

For More Information

copy 2019 Upstream Security Ltd All Rights Reserved