360: 2019 Intelligent Connected Vehicle Information Security Annual Report

The report reviews the development of information security of intelligent connected vehicles in 2019 from the aspects of network security development trends of intelligent connected vehicles, emerging attack methods, automobile security attack incidents, automobile safety risk summary and security construction recommendations.

In 2019, two new types of attacks appeared in the Internet of Vehicles, and most car manufacturers will fail. The vulnerability of digital car keys also opened the Pandora's box of car security. The golden section point of car network security lies in the security management of suppliers. The "Report" recommends that the security of the Internet of Vehicles should be considered from both positive and negative sides and active defense should be taken.

The report points out that the communication module is the root cause of mass vehicle control. Automobile manufacturers should follow the series of automotive network security standards that are about to be implemented, implement strict supply chain management mechanisms, conduct penetration tests regularly, and continuously monitor network security risks.

Intelligent connected vehicles are moving towards diversified development

In 2019, my country's automobile production and sales were 25.721 million and 25.769 million, down 7.5% and 8.2% year-on-year, respectively, but the decline in the industry has narrowed. The automobile industry has also entered a critical period of changing its development mode, optimizing its industrial structure, and shifting from high-speed growth to high-quality development. The "new four trends" of automobiles, with "electrification, intelligence, networking, and sharing" as the core, have become a consensus among the government, vehicle manufacturers, automobile suppliers, technology companies, and consumers.

With the continuous advancement of the "New Four Modernizations", the original thousands of mechanical parts in automobiles have been gradually replaced by the "three-electric" system including motor and electronic control, power battery, and vehicle controller. At the same time, new business scenarios have spawned electronic and electrical components such as automotive T-box and digital car keys, which have derived a series of new network security risks. The "Report" conducts an overall analysis from two aspects: the new security challenges faced by the new generation of E/E architecture and the security challenges faced by autonomous driving algorithms and sensors.

In 2020, standards for automotive cybersecurity will be fully rolled out at home and abroad. Generally speaking, they will target application scenarios such as autonomous driving and V2X, and guide the automotive industry chain to carry out cybersecurity activities at various stages such as concept, development, production, and operation and maintenance.

Since 2019, many car companies have joined hands with Internet companies to work together to solve network security issues through strategic cooperation and joint laboratory construction. This means that the "new four modernizations" have gone beyond the automotive field and are moving towards horizontal and diversified development space.

New attack methods in the Internet of Vehicles are almost universal

In 2019, two new types of attacks emerged in the Internet of Vehicles: remote control hijacking attacks based on information leakage of vehicle communication modules and attacks on autonomous driving algorithms based on generative adversarial networks. These two new types of attacks can affect most car companies.

As early as 2018, 360 explored an attack method that achieved remote control of vehicles in batches by cracking the communication module and using private APN to infiltrate the car company's TSP platform. In December 2019, 360 and Mercedes-Benz jointly discovered and fixed 19 vulnerabilities that caused such attacks, including 6 CVE vulnerabilities, affecting more than 2 million vehicles on the road. The two parties jointly delivered a speech on the results of this vulnerability research at the RSA Conference. The communication module is the first line of defense for connecting the vehicle to the external network. If it is cracked by hackers, it will be possible to remotely open and close the doors and windows, start and shut down the engine, and other vehicle control operations, threatening the user's life and property. After a lot of research, it was found that such vulnerabilities are widely present in the Internet of Vehicles systems of car companies, and urgently need to attract the attention of the majority of car companies.

The attack on the autonomous driving algorithm based on the generative adversarial network mainly comes from the lack of special training data such as adversarial samples during the training of the deep learning model. Although deep machine learning represents the future direction of technology, in the current practical application, the researchers' experiments have proved that the corresponding adversarial samples can be generated through specific algorithms to directly attack the image recognition system. The neural network algorithm still has certain security risks, which deserves attention.

Top 10 security incidents involving connected cars in 2019

In 2019, there were ten major security incidents in the field of intelligent connected vehicles worldwide, including remote control hijacking attacks based on communication modules, attacks on autonomous driving algorithms based on generative adversarial networks (GANs), relay attack threats to Tesla's PKES system, cache overflow vulnerabilities in Tesla Model S/X WiFi protocols, vulnerabilities in shared car apps, questionable security of autonomous driving systems based on lidar, account hijacking vulnerabilities in Uber, vulnerabilities in aftermarket car anti-theft systems, intrusions into Toyota's car servers, and APT attacks on BMW.

Through the analysis of typical security incidents, the report summarizes the four major risks to current automobile safety: automobile attack incidents are growing rapidly and attack methods are emerging in an endless stream; smart connected vehicles lack anomaly detection and active defense mechanisms; digital keys have become a new attack surface that has attracted widespread attention; and autonomous driving algorithms and V2X systems will become new hot targets of attack.

Digital car key vulnerabilities open a Pandora's box of car security. Digital car keys can be used in emerging application scenarios such as remote summoning and automatic parking. This diversified application scenario also makes digital keys vulnerable to attacks. The "short board effect" of digital car keys is significant. If any link such as identity authentication, encryption algorithm, key storage, and data packet transmission is hacked, the entire digital car key security system will collapse. The current common attack method is to amplify the signal of the digital car key through a relay attack, thereby stealing the vehicle.

In 2019, Europe and the United States have successively reported thefts of high-end brand vehicles through relay attacks. Especially in the UK, there were more than 14,000 thefts targeting PKES systems in the first 10 months of 2019 alone, which is equivalent to one such theft every 38 minutes. The thieves usually take less than 30 seconds to commit crimes, and the tools used, relay devices, and attack tutorials can even be purchased online, which will cause great harm to personal and property safety.

Five suggestions for the safety construction of intelligent connected vehicles

The report puts forward five major safety recommendations regarding the safety risks and hidden dangers faced by smart connected vehicles.

First, establish a safety responsibility system for key links of suppliers. It can be said that the golden section of automotive network security lies in the safety management of suppliers. The "New Four Modernizations" will accelerate the development of new products by first-tier suppliers. At that time, new first-tier suppliers will also join the OEM procurement system, and the original supply chain pattern will be reshaped. Supply chain management will become a new pain point for automotive network security. OEMs should comprehensively evaluate suppliers from multiple aspects such as quality system, technical capabilities and management level.

Second, promote safety standards and lay a solid foundation for safety. 2020 will be the year when automotive cybersecurity standards are fully rolled out. According to ISO21434 and other cybersecurity standards, we will comprehensively deploy cybersecurity work in the concept, development, production, operation, maintenance, and destruction stages, integrate risk assessment into the entire life cycle of automobile production and manufacturing, establish a sound supply chain management mechanism, refer to the cybersecurity standards for electronic and electrical components, conduct penetration tests regularly, continuously monitor cybersecurity data, and conduct security analysis in combination with threat intelligence to carry out situational awareness, so as to effectively manage security risks.

Third, build a multi-dimensional security protection system and strengthen security monitoring measures. Passive defense solutions cannot cope with emerging network security attack methods. Therefore, it is necessary to deploy new security protection products such as security communication modules and secure car gateways on the vehicle side to actively discover attack behaviors, and promptly issue warnings and block them. Through multi-node linkage, a hierarchical and in-depth defense system can be built.

Fourth, use threat intelligence and security big data to improve security operations capabilities. The network security environment is changing rapidly. High-quality threat intelligence and continuously accumulated security big data can help automakers maximize their security operations capabilities at a relatively low cost, thereby coping with unpredictable network security challenges.

Fifth, the construction of a good automotive safety ecosystem relies on sincere cooperation. Every profession has its own expertise. Internet companies and security companies rely on the technical precipitation and accumulation in the traditional IT field to keep up with the rapid development of automotive network security and have unique research and insights into related automotive electronic and electrical products and solutions. Only when upstream and downstream companies in the industrial chain form a joint force can they jointly elevate automotive network security to a new height of "active in-depth defense" and escort the mature implementation of the "new four modernizations".

360 Automotive Security Brain intercepts 35,000 attacks to protect smart connected cars

360 is committed to protecting users' network security and travel safety. 360 Security Brain and Smart Connected Car Security Brain were both shortlisted as "New Generation Artificial Intelligence Industry Innovation Key Task Shortlisted Units" by the Ministry of Industry and Information Technology. So far, 360 Automotive Security Brain has intercepted 35,000 attacks, provided security assessments for car manufacturers, and discovered more than 500 security issues in the Internet of Vehicles, affecting 4.5 million smart cars.

Currently, 360 has cooperated with 80% of the mainstream automobile manufacturers in China, and more than 500,000 cars on the road are connected to the 360 ​​car safety brain for real-time protection. In addition, 360 also led China's first international standard for automobile information security - ITU-T X.mdcv (security detection mechanism for abnormal behavior of connected cars based on big data analysis), participated in the formulation of more than 10 automobile network security standards such as ISO, the Automotive Standards Committee, the Information Security Standards Committee, and the Communications Standards Committee, and has applied for more than 30 patents related to automobile network security, fully protecting the safety of intelligent connected cars.