Many auto workshops do not know enough about how to keep our cars safe from cyberattacks. This is revealed in a new study from the University of Skövde. "A large proportion of the vehicle fleet could practically be entirely open to attacks or already breached," says Marcus Nohlberg, docent in cybersecurity at the University of Skövde.
Our modern cars can be described as connected, advanced computers on wheels, and these computers handle everything from anti-skid systems to adaptive cruise control.
Cars can become targets for cyberattacks
Recently, car computer systems have also started communicating with each other. This communication occurs outside the car. The intention is to avoid collisions, but it also opens up risks, and cars can become targets for cyberattacks. In 2015, two security researchers demonstrated how they could take control of a Jeep Cherokee’s brakes and steering.
However, a new study from the University of Skövde shows that security awareness and knowledge among auto workshops are still low when it comes to cybersecurity. So, what happens if auto workshops do not have the necessary knowledge or awareness to handle car software correctly?
"A large proportion of the vehicle fleet could practically be entirely accessible to attacks or already breached," says Marcus Nohlberg, who, together with Martin Lundgren, senior lecturer in informatics, and David Hedberg, a former student at the University of Skövde, is behind the study.
Car owners cannot protect themselves
But the extent is difficult to assess. This is due to a lack of transparency in how car manufacturers operate. One issue highlighted in the study is that car manufacturers have devised a solution for managing software exclusively accessible to authorised workshops. This exclusivity fosters significant uncertainty regarding the proper handling of the software, consequently leading to unaddressed security concerns.
"This is particularly true for workshops that are not authorised. They are often forced to use unofficial methods to manage the cars. For most people, the car is the most advanced computer they have, but they currently have no way to influence updates and information security," says Martin Lundgren.
Significant risks that are not addressed
The researchers behind the study believe that both the public and professionals need greater insight into the systems. If more than just authorised workshops were allowed to use official software to update cars and had insight into the car's security, it would benefit safety. The current situation makes sense from the manufacturers’ perspective, but the consequences for owners and society at large could be enormous.
“A large portion of the vehicle fleet may have significant vulnerabilities without us having any opportunity to control or protect ourselves against them at all. For us, it has been an eye-opener that there are such significant previously unknown risks in the automotive industry that are not being addressed," says Marcus Nohlberg.
More about the study
The results from the study were published in the journal Information and Computer Security with the title "Cybersecurity in modern cars: awareness and readiness of auto workshops."
