A cyber security researcher gained control of an OEM’s entire connected vehicle
fleet. He exploited a vulnerability in Tesla's server-side mechanism to access Tesla's network and view a repository of server images. One of the servers accessed was the command-and-control server that communicated with Tesla's fleet, including remote commands and diagnostic information. A critical vulnerability in the server enabled the hacker to control any vehicle in the fleet. Keyless entry – more than 25%
Keyless entry needs to be in proximity to the car.
Remote fobs – requires pushing a button to open the doors; Allows you to start the engine wireless and drive away The most common attack vectors used to break and steal vehicles. Market has many “smart devices” capable of performing attacks on keyless entry. Not cheap, but accessible. Application and mobile application – almost 10%
3 vulnerabilities were found in the Android Automotive OS (AAOS) – Dec 2021 -
malicious application to bypass user interaction requirements to gain access to additional permissions A vulnerability (CVE-2021-29507) was found in a diagnostic log and trace tool of GENIVI Alliance, an automotive industry alliance that develops standard approaches for integrating operating systems and middleware present in the centralized and connected vehicle cockpit. The vulnerability allows a remote attacker to perform a denial of service (DoS) attack. May 2021 analysts found 29 potential cybersecurity attack vectors and ranked five as the highest risks, which derived from the use of connected cars in satellite, cellular, Wi-Fi, Bluetooth, RDS, eSIM-based telematics, and other types of connectivity to send and receive data. The authors noted that all these network-centric applications created new attack surfaces in connected cars. Feb 2021 Researchers reverse engineered the Android head unit system of KIA Cee'd, exploited the vehicle's ability to install third-party applications, and instead installed an app containing malware – nov 2020