IOActive: Fewer Critical Vulnerabilities Found in Cars

By Riley ThompsonTechnology News

IOActive Reports Decline in Critical Car Vulnerabilities

Experts from IOActive have analyzed automotive vulnerabilities over the past decade and found that the auto industry is paying more attention to cybersecurity, resulting in a sharp decrease in critical bugs.

Study Overview

The IOActive study reviewed vulnerabilities discovered in the last 10 years, with a focus on trends in 2016, 2018, and 2022. The company categorized vulnerabilities based on their potential impact, likelihood of exploitation, and overall risk level. The risk level was calculated by considering both the possible impact and the probability of exploitation.

Vulnerability Classification

According to IOActive’s classification, critical vulnerabilities are those that can be exploited remotely, are easy to detect, and whose exploitation could lead to full compromise of vehicle components or pose a safety threat. High-risk vulnerabilities are those that can also be exploited remotely with little preparation, potentially resulting in partial control over components, disclosure of confidential information, or a safety risk.

Key Findings

  • The share of critical automotive vulnerabilities dropped from 25% of all vulnerabilities in 2016 to 10% in 2018 and 12% in 2022.
  • The proportion of high-risk vulnerabilities gradually decreased from 25% in 2016 to 21% last year.
  • Overall, over the past 10 years, the share of critical issues fell by 13%, and high-risk issues by 4%.
  • In terms of exploitability, critical vulnerabilities made up only 1% of all vulnerabilities in 2022 (down from 7% in 2016).
  • The share of vulnerabilities with the highest likelihood of exploitation also dropped to 16% in 2022 (from 21% in 2016).

IOActive believes this shows that vulnerabilities are becoming harder to exploit and that “vulnerability discovery vectors are becoming less remote.”

Industry Improvements

Researchers note that between 2018 and 2022, the automotive industry learned from its early mistakes and improved its development processes. Over the past decade, the share of critical bugs with a high likelihood of exploitation decreased by 6%, and high-risk bugs by 5%.

Analysts attribute these positive trends to the industry’s adoption of cybersecurity measures earlier in the development process and increased efforts to neutralize the most likely attack vectors. The overall maturity of cybersecurity methods has also improved.

Attack Vectors

The share of attacks targeting physical hardware dropped from 28% in 2016 to 10% in 2022, while local and network attacks increased. IOActive also noted a small but significant rise (from 0% to 1%) in radio frequency attacks, particularly those targeting remote keyless entry and Bluetooth systems.

Future Concerns

In conclusion, IOActive experts expressed concerns about future developments. While critical vulnerabilities are now less common, attackers may start combining several less severe flaws (whose numbers are actually increasing) instead of relying on a single critical bug.

Leave a Reply