This paper takes a meta-data analysis of the multitude of private vehicle security assessments that have conducted and combines them with publicly available research to get a picture of what kind of vulnerabilities that are seen, which systems and attack vectors seem to be the most affected, and how significant the vulnerabilities really are. This data is extremely useful when considering cybersecurity strategy and planning within an organization. In 2013 IOActive conducted about two thousand man hours of combined research and services in the vehicle cybersecurity space. In 2014 it doubled to four thousand. In 2015 it more than doubled to ten thousand. 2016 looks to follow the pattern. The IOActive Vehicle Cybersecurity Division is in a unique position to provide valuable insight into common struggles, failures, and solutions that the industry faces. This research uses hard, real data taken from real vulnerability assessments of real vehicle systems. We have conducted enough of these assessments to properly anonymize the sources of this information and extract the valuable “big-picture” aspects. First, in order to make use of the data we need to establish a basic foundation of cybersecurity terminology and comprehension. We will discuss threat modeling, attack vectors, and attacker methodologies in order to understand how these vulnerabilities came to be discovered. Second, we will discuss how they are categorized and walk through evaluating an example vulnerability. Third, we will look at the data itself and answer some key questions such as: Which kinds of vulnerabilities most commonly affect the Connected Car? What attack vector is most commonly used to compromise a vehicle? What percentage of vulnerabilities would defense product XYZ mitigate? How do I best manage my limited cybersecurity resources to maximize effectiveness?
Corey Thuen (Fri,) studied this question.