VicOne report points to rise in automotive data exploitation

DALLAS and TOKYO, December 5, 2023—VicOne announced the availability of VicOne Automotive Cyberthreat Landscape Report 2023. Based on data from automotive original equipment manufacturers (OEMs), suppliers and dealers globally, key highlights of the report are:

  • Growth in usage and monetization of automotive data—and, in turn, threat of exploitation by cybercriminals
  • Trends and incidents that have arisen this year in the dynamic automotive cyberthreat landscape
  • Predictions of upcoming developments and key focus areas for an effective cybersecurity strategy for the next year and beyond

“In our analysis of the threat landscape, we noticed that the losses from cyberattacks in the first half of the year exceeded US$11 billion. This marked an unprecedented surge compared to the last two years,” reads VicOne Automotive Cyberthreat Landscape Report 2023. “A closer examination reveals that these cyberattacks predominantly targeted automotive suppliers, indicating a rising trend. Alarmingly, over 90% of these attacks were not aimed at OEMs themselves. Instead, they were directed at other entities in the supply chain. Attackers often find it difficult to penetrate well-protected companies, so they target less vigilant firms instead. The supply chain disruptions affect OEMs all the same. Consequently, defending systems against cyberattacks is no longer just about securing an individual firm. Moreover, it is about strengthening the entire supply chain.”

The new VicOne report untangles the cybersecurity issues developing. This is happening along with the increasing complexity of vehicles and their integration of connectivity, automation, and advanced driver assistance systems (ADAS). Industry losses are growing from cyberattacks such as ransomware and exposure of leaked data or personally identifiable information (PII). Additionally, there are costs associated with system downtime. The calculations in VicOne Automotive Cyberthreat Landscape Report 2023 are based only on tangible costs related to technology and operations. They do not include intangible costs such as branding, public relations, sales, and marketing expenses.

The report identifies how attackers can compromise vehicle data through the top vulnerabilities. It lists common weakness enumeration (CWE) vulnerabilities in tables. Out-of-bounds write (OOBW), out-of-bounds read (OOBR), buffer overflow, use after free and improper input validation vulnerabilities are among the most frequent issues that VicOne documented. Engineers discovered most of the issues on chipsets or systems-on-chip (SoCs). Vulnerabilities in third-party management applications and in-vehicle infotainment (IVI) systems followed the issues. Third-party suppliers—including logistics providers, service providers and companies engaged in the production of components, accessories or parts—have emerged as a growing focus of attacks.

The VicOne report presents case studies on some of the key incidents from the last year, including the Zenbleed vulnerability, potentially leading to the leakage of sensitive data at a remarkably fast rate of 30kb/s per core; CAN bus injection, emerging as a favorite technique among vehicle thieves; and penetration of backend cloud infrastructure, by exploiting vulnerabilities in telematics systems and application programming interfaces (APIs).

While noting that there is currently a regulatory vacuum when it comes to vehicle data, the VicOne report points out that UN R155 will mandate safety conditions for newly manufactured cars by July 2024.

“It’s clear that the automotive industry needs to give higher priority to cybersecurity, in terms of resources and budget. That is something that must be happening continually—building up the processes, building up the organization, building up the talent, building up the entire system—or you will never be able to implement cybersecurity effectively,” said Max Cheng, chief executive officer of VicOne. “Now is the time for organizations throughout the global automotive industry to get serious about exploring how to build up their capabilities across the important focus areas that our new report covers.”

VicOne Automotive Cyberthreat Landscape Report 2023 is available at

News related to VicOne –

Back to top button