Auto cybersecurity firm predicts consumers will emerge as hackers; attacks expected on fleets, EV charging infrastructure

Add vehicle owners to the growing list of potential cybersecurity threats against automakers in 2023.

Early adopters of new digitized offerings from automakers will find ways to bypass premium features by manipulating their vehicles' systems fraudulently, according to executives from Israeli cybersecurity firm Upstream.

Speaking at a cybersecurity webinar Tuesday, the Upstream team said consumers may push back as automakers launch subscription-based services and features in new vehicles.

Automakers — from BMW and Tesla to Volkswagen, Toyota and General Motors — have offered monthly subscriptions for services like heated seats, global positioning systems, music streaming and remote keyless start functions with varying degrees of success.

Cybersecurity is a growing concern for the auto industry, and as vehicles become digital platforms, a group of so-called white hat hackers — researchers who uncover vulnerabilities and notify automakers and suppliers — are finding problems. Last year, security engineer Sam Curry hacked into Reviver, a digital license plate company that has fleets as customers. Curry gained full "super administrative access" to manage all of Reviver's user accounts and vehicles. His team found ways to penetrate BMW, Rolls-Royce, Jaguar-Land Rover, Mercedes-Benz, Porsche, Ferrari and Ford's customer and employee information.

Upstream expects that black hat hackers — those using vulnerabilities for nefarious reasons — will focus on automotive fleets this year. In 2022, black hat hackers focused most of their attention on breaching automakers' telematics and application servers, representing 35 percent of auto cybersecurity breaches, according to Upstream.

In 2022, Upstream counted 268 publicly reported automotive cyber attacks, up from 245 incidents publicly reported in 2021.

The number of attacks is growing steadily. Upstream cited 230 incidents in 2020, 196 in 2019 and 79 in 2018.

From 2010 to 2022, the firm recorded 1,173 publicly reported auto-related cybersecurity attacks.

With fleet operators increasingly dependent on mobility applications, malicious hackers will exploit application programming interface vulnerabilities and leverage the data created by them for financial gain, Upstream executives said. APIs are a set of definitions and protocols that allow different software to communicate.

In 2022, the number of automotive and smart mobility API-related hacks increased by 380 percent over 2021, accounting for 12 percent of total incidents, according to Upstream.

APIs underpin electric vehicle charging stations and will provide another entryway for black hat hackers to attack these systems. The technology and software supporting EV charging stations will need to focus on cybersecurity detection and mitigation, Upstream executives said.

Hacks against EV charging infrastructure made up 4 percent of total auto-related cybersecurity breaches last year.

The threat to fleets' sensitive data coupled with the rise in EV charging infrastructure attacks represents a serious risk to public safety that will lead transportation policymakers and lawmakers to draft next-generation automotive cybersecurity regulations in 2023, Upstream executives said.

Another emerging cybersecurity development for 2023 is increasing automation of virtual security operations centers, which allow automakers to monitor the security of their systems in real-time.