COLLATERAL, RESEARCH | September 20, 2023

Commonalities in Vehicle Vulnerabilities | 2022 Decade Examination | Samantha Beaumont

With the connected car now commonplace in the market, automotive cybersecurity has become the vanguard of importance as it relates to road user safety. At the forefront of transportation cybersecurity research, IOActive has amassed over a decade of real-world vulnerability data illustrating the issues and potential solutions to cybersecurity threats today’s vehicles face.

This analysis is a major update and follow-up to IOActive’s paper on vehicle vulnerabilities originally published in 2016 and updated in 2018. The goal of this 2022 update is to deliver current data and discuss how the state of automotive cybersecurity has progressed over the course of 10 years, making note of overall trends and their causes. The target audience of this research is individuals seeking insights into the trends of automotive cybersecurity, and how to better address any causalities noted within this paper.

Some of the major technical findings from IOActive’s analysis:

  • There was a significant drop in the proportion of critical-impact vulnerabilities from 2016 to 2018. Critical-impact vulnerabilities decreased by 15%, causing the distribution of medium- and low-impact vulnerabilities to increase.
  • The industry saw significant growth in incorporating cybersecurity into the design of automotive systems from the start; for example, ensuring that processes that handle data run with limited privileges, which helps lower the impact of the most likely attacks in the event of a compromise.
  • There was an early warning observed in 2018 that the industry appears to be focusing on severity of ease-of-exploitation over actual risk.
  • A sharp decrease in physical attacks was reported, which was mainly due to industry attention focusing on remote-based attack vectors.
  • The trends observed between 2018 and 2022 are the complete opposite to what IOActive previously observed, which indicates a bounce-back effect. High-effort vulnerabilities have decreased by 6% and medium-effort have decreased by 11%, resulting in a major increase (17%) of low-hanging fruit issues.