Unmasked: Predatory Cyber Risks Unveiled in Early-Stage Battery Electric Vehicle Development
In a groundbreaking discovery, white-hat researchers at PlaxidityX have taken remote control of a new battery-electric vehicle before production, exposing weaknesses in some automakers' cybersecurity measures for software-defined vehicles (SDVs).
During an eight-day project, the team was able to penetrate the vehicle system via Wi-Fi and uncover several critical security issues. By recovering the Security Access algorithm used for UDS authentication, they bypassed the challenge-response mechanism and enabled unrestricted diagnostic access.
The researchers also managed to authenticate and perform lateral movement within the internal network, eventually reaching the vehicle’s central gateway. By reverse engineering internal binaries, they extracted hardcoded credentials for a secured MQTT server, allowing them to perform actions normally available through the official app.
More alarmingly, they replaced proprietary binaries with malicious versions, gaining access to the CAN bus and control over vehicle functions. The team was even able to gain control over safety-critical systems and enable the theft of the vehicle.
Recovery required a full battery reset, underscoring the severity of the security breach.
Ziv, a researcher involved in the project, emphasizes that penetration testing is crucial for making things secure and not just for compliance reasons. He suggests that vehicles are moving from non-cyber-relevant to cyber-relevant, and current regulations are unable to ensure a more secure car.
The study, "Securing the Future: Cybersecurity for Automotive High-Performance Computers," presented a real-world vehicle penetration testing project on a BEV. It highlighted security problems through insecure Wi-Fi networks, hardcoded credentials, insecure MQTT, and weak UDS Security Access implementation.
To secure SDVs, PlaxidityX recommends a layered defense integrating threat modeling, lifecycle risk management, compliance with evolving regulations, secure software development practices, advanced monitoring technologies, and supply chain security management.
Key security measures to focus on include developing dynamic cyber threat models, implementing end-to-end cybersecurity risk management frameworks, adhering to robust cybersecurity regulations and standards, emphasizing security by design and secure development culture, protecting critical functions and communication protocols, deploying advanced technology solutions, and addressing supply chain and cloud service risks.
In light of these findings, Mahle has made an urgent call for the EU to reverse its phase-out of internal combustion engines (ICE). The hack exposed the vulnerabilities of modern cars entering the market with technology up to five years out of date, giving hackers about 20 years to research this vehicle.
In conclusion, securing SDVs requires a holistic approach combining technical safeguards with organizational governance and cultural alignment toward cybersecurity. This integrated approach ensures that vehicles remain resilient against sophisticated cyberattacks threatening safety, privacy, and operational integrity.
- The automotive industry, particularly the sector focused on software-defined vehicles (SDVs), faces significant challenges in cybersecurity, as demonstrated by the white-hat researchers at PlaxidityX who took control of a new battery-electric vehicle before production.
- Financing for the development of secure vehicles and technologies within the automotive industry is essential, given the increasing reliance on Wi-Fi, internal networks, and other digital systems, which can be vulnerable to attacks.
- The transportation sector, especially the automotive industry, must prioritize cybersecurity measures, such as threat modeling, secure software development practices, and advanced monitoring technologies, to protect against malicious actors who could potentially hijack vehicles or steal sensitive data.
