In the first quarter of 2024, the Chinese auto market continued the style of 2023, and the core is "volume".
In 2023, the "strongest price war" will break out in the mainland auto market, and the market space for fuel vehicles will continue to be squeezed, and now only the last breath is left. Recently, the Passenger Association released the latest data from April 1 to 14, and the penetration rate of new energy (intelligent) vehicles exceeded 50% for the first time, and the status of the two has been reversed unconsciously.
At the same time, the technological development of smart cars is advancing rapidly, and various emerging technologies are rapidly being applied. In just one or two years, intelligent driving has rapidly moved from high-end to popularization, AI large models have been successfully applied, intelligent cockpits are becoming the core competitiveness of new cars, and intelligent interaction is the industry standard.
As smart cars continue to develop towards intelligence and networking, V2X smart travel can be foreseen, and the car is no longer just a means of transportation, but a new terminal integrating travel, communication, interaction, and entertainment, which is an extension of cyberspace in the "Internet +" era.
With the first half of new energy vehicles - the gradual end of automobile electrification, the second half with "intelligence" as the core has begun. However, in the process of competition, the security of the Internet of Vehicles is becoming prominent, and has become a huge obstacle between car companies and intelligence.
Therefore, we venture to guess that "security will be one of the important directions in the second half of the roll". In the future, automotive security will not only be limited to physical security, but also cybersecurity. In other words, perhaps in the future, smart cars will not only have various "safety crash" tests, but also "cyber attack" tests, so that users can have a clearer understanding of the overall safety level of the car.
At the "2024 TIME DAY Tencent Smart Mobility Technology Open Day" held on April 24, after listening to the sharing of industry leaders, celebrities and well-known figures from home and abroad, this trend seems to be becoming clearer.
Next, we will discuss from three aspects: the user side, the car company side and global regulations.
1. Users have been suffering from the privacy leakage of smart cars for a long time
In order to better provide intelligent services, the amount of information and privacy collected by smart cars is much more than that of traditional cars, including the owner's driving track, interests, facial data, photos, audio, and so on. According to incomplete statistics, so far in 2023, there have been more than 20 data breaches related to car companies in China, each of which has attracted a lot of attention on social platforms.
In April 2024, the news that "an in-car camera leaked indecent photos of female car owners" sparked a lot of discussion among users. Although the car company issued an emergency statement in the early morning of the same day, saying that the so-called "leaked photos taken by the car camera" spread by the car owner group and social media were rumors, and said that it would "always protect user privacy and information security".
However, this did not dispel users' worries, nor did it quell the heat and impact of the privacy leak, which caused irreparable huge damage to the brand and reputation of the car company.
Tesla, the representative brand of smart cars, has also fallen into the trap of user privacy leakage. For example, in 2021, a hacker successfully extracted footage from Tesla's in-car camera, which clearly recorded the movements and postures of the driver and passengers, and even captured the driver's facial features in poor light at night. In 2023, it was reported that Tesla employees had privately shared highly intimate videos and images recorded by numerous customers' in-car cameras through an internal messaging system over the past few years, further exacerbating public concerns about the privacy and security of smart cars.
Statistics show that in January ~ September 2023, the number of new car cameras installed in mainland China will reach 48.172 million, an increase of 34.1% year-on-year, of which the number of in-cabin cameras in the user's in-car privacy space will exceed 2 million, a year-on-year increase of more than 90%. Because the car is a relatively private environment, users have a strong demand for privacy protection, and these increasing in-car cameras, although the purpose is to improve the user's intelligent experience, is also like a pair of "eyes" that see through the user's privacy, making car owners miserable.
With the further awakening of the public's awareness of privacy protection, privacy and security will become a decision-making factor for users to purchase smart cars, and will also become one of the focuses of competition among car companies.
Second, smart car manufacturers are paying more and more attention to network security
Unlike traditional car companies, smart cars have come to the era of software-defined vehicles. As new energy vehicles become more intelligent, the boundaries between software and hardware are blurred, cybersecurity risks are growing dramatically, and attackers' motivations are shifting to profit, which will have a potentially significant impact on all parties in the ecosystem.
According to the dynamic monitoring of the Ministry of Industry and Information Technology, more than 280 malicious attacks have been found against vehicle companies, Internet of Vehicles information service providers and other related enterprises since 2020. The reason why the smart car industry has such a severe cyber threat situation is because of the rapid development of the industry in the past two years with the help of policies and market catalysis.
Because of this, smart car manufacturers are paying more and more attention to cybersecurity. However, in the process of rapid development of the industry, on the one hand, there is an obvious lag in network security, especially in many basic security construction, and on the other hand, the threat situation faced by car companies has increased significantly, including the increasing number of branches of the software supply chain of car companies, the continuous extension of links, and the rapid growth of personnel, applications, charging piles, etc., and the rapid growth of the attack surface exposed by smart cars. Between an increase and a decrease, car companies urgently need to make up for the shortcomings of safety.
1. The threat of hacker attacks and network attacks is becoming more and more severe, and contactless attacks have become a reality.
Since 2015, two security researchers have exposed attacks on connected cars, and a reporter for Wired magazine remotely took control of a Jeep Cherokee and shut down its engine while driving the car at 70 miles per hour on a highway in the United States.
Since then, Tesla Model S and Model X have been hacked many times. In 2022, the media also revealed a relay attack method, targeting Bluetooth Low Energy (BLE) used in the keyless entry system, the attacker only needs to set up a device near the owner's mobile phone (key fob) and the vehicle, and can disguise himself as the owner to open the door and drive away the vehicle. The combined cost of the technical software and hardware used is only about 1,000 yuan, which can be purchased on the Internet, and the mainstream Model 3 or Model Y are among the attacks.
In the Pwn2Own Automotive competition held in January 2024, a large number of contestants demonstrated how to solve intelligent car systems. The Synacktiv team, in particular, won $450,000 in cash for two successful attacks on Tesla cars, gaining root privileges, and demonstrating sandbox escape in Tesla's infotainment system.
In response to the increasingly severe cyber attacks at this stage, Zeng Jie, senior manager of Tencent Cloud Security, said in an interview that Tencent Cohen Lab has realized remote cracking of smart cars as early as 2016, including mainstream car brands Tesla, BMW, Mercedes-Benz, etc. It is worth mentioning that hackers' attacks on smart cars have evolved from simple behaviors to systematic attack chains, and their harmfulness and impact will far exceed the imagination of car companies and users.
To this end, Tencent Security has built a networked security system based on the construction of an intelligent networked security system, covering security governance, protection, monitoring and operation, and device-cloud integration, to conduct risk assessment of the vehicle's networked architecture, identify potential security risks, and put forward corresponding safety requirements and design specifications to ensure the overall safety of smart cars.
2. More and more data is collected and generated by smart cars, and the pressure on data security is increasing.
Smart cars are constantly collecting information and data from the moment they are delivered to the user. With the opening of the second half of the competition, as the fuel of "intelligence", the data generated by automobiles as intelligent terminals has increased exponentially.
For example, the explosive growth of smart car applications will generate a large amount of data, and the interaction and communication between vehicles and vehicles, vehicles and people, vehicles and roads, and vehicles and clouds also involve data collection and circulation. According to data released by Precedence Research, the global automotive data market will grow from $2.19 billion in 2022 to $14.29 billion in 2032, with many types of data collected, including:
Autonomous driving: Covers data from L1 to L5, including data collected from multiple sensors installed on the vehicle.
Infrastructure: including remote monitoring, OTA updates, and data remotely controlled from the control center, as well as V2X and traffic modes.
Infotainment: Information about how customers use an app, such as voice control, gestures, maps, and parking.
Connected Information: This includes data paid to third-party parking apps, accident information, oncoming bike recorders, handheld devices, mobile apps, and driver behavior monitoring.
Vehicle health: repair and maintenance records, insurance coverage, fuel consumption and telematics, etc.
Authorities speculate that in the next 10 years, the storage space per car will swell to more than 2TB, because some data will have to be retained for months or even years. As the second largest terminal after smartphones, the intelligent development of automobiles is inseparable from the support of a large amount of data, and it is also facing extremely high data security risks.
Li Bin, head of Tencent's data security products, pointed out in the interview that the whole link of data flow for smart cars is relatively complex, involving many types of data, large data volumes, long data processing chains, and many data subjects, resulting in complex and difficult data security protection.
Based on the complexity of data security in the era of smart cars, Tencent has worked with partners to build an autonomous driving cloud platform and introduced Tencent's autonomous driving cloud compliance service to ensure data security throughout the life cycle of collection, upload, processing, and application, and meet compliance requirements in the process of autonomous driving research and development.
3. Complex supply chain risk and vulnerability management.
In the development of smart cars, vehicle hardware and software integration are being decoupled, resulting in a fragmented and complex supply chain, while OEMs are at the center of system integration and face a sharp increase in software supply chain security risks.
Although OEMs can improve the transparency and traceability of their software supply chain through software bills of materials (SBOMs) in order to address supply chain security and vulnerability governance issues more quickly. However, due to the frequent OTA updates of smart cars, SBOM is in a dynamic change, which increases the OEM's risk control and response.
In addition, the Internet of Vehicles does not only refer to the vehicle itself, but also involves the security of the intelligent vehicle supply chain, such as third-party intelligent applications, charging infrastructure, cloud platforms, etc., which further increases the potential security risks of the software supply chain and the security vulnerabilities that may be exposed to the Internet. By exploiting SBOM-related vulnerabilities, attackers can gain unauthorized access to critical functions and control mechanisms throughout the vehicle, posing a significant threat to the vehicle's cybersecurity posture.
It should also be emphasized that API security, as an important role in connecting the software supply chain, is also a breakthrough for attackers to launch large-scale attacks. Relying on a variety of API interfaces, smart cars can load a growing number of applications and services, from OEM mobile applications, infotainment systems, dealer systems, aftermarket mobile IoT devices, to EV charging management and billing applications, all of which rely heavily on APIs to achieve core functions. More and more frequently called API security is also accumulating in the process.
Correspondingly, OEMs lack effective measures for smart vehicle software supply chain security and vulnerability governance, such as:
Identify and address vulnerabilities in software and hardware components in a timely and proactive manner;
Continuously assess and manage software supply chain risks to ensure component integrity and security;
Quickly detect cybersecurity risks and attacks and provide effective response and mitigation.
Regarding the complex software supply chain management and vulnerability management issues, Liu Dengfeng, head of Zero Trust Product at Tencent, pointed out in the interview that the most common problems for car companies when building security protection systems are often the endpoint side, cloud side and vehicle machine side, and these problems may be solved through the concept and framework of zero trust.
First, whether it is an employee of an auto company or a third-party supply chain, the overall terminal security, channel security, link security, and application security need to be considered when accessing and accessing applications within the auto company.
Second, in view of the access process of car companies, it is necessary to consider the software supply chain level to realize the problem of software development security shift left.
By building an end-to-end access control system, data protection, and security shift-left, the common security issues faced by car companies can be closed.
Third, the foundation of intelligent vehicle safety testing is already in place
In summary, OEMs do not seem to be fully prepared for the above-mentioned cyberattack threats, data security and compliance, complex vulnerability supply chain security and vulnerability governance, etc., resulting in repeated security incidents.
According to a report released by Upstream, attacks against OEMs and their ecosystems are increasing rapidly, introducing new attack vectors and methods, and even as OEMs continue to improve their cybersecurity protections, they are still stretched thin. Between 2019 and 2023, the average number of OEM security incidents disclosed by public networks (media) increased by more than 50%, reaching a staggering hundreds in 2023.
According to China Automotive data, the CFID vulnerability database has included a total of 2,945 security vulnerabilities by the end of 2022, involving more than 1,000 models, covering on-board hardware, software, networks, services and other aspects, involving vehicle control systems, infotainment systems, remote control systems, Internet of Vehicles platforms and other modules.
From this point of view, the volume of smart cars in the field of cybersecurity has just begun. The world's ever-evolving and perfect cybersecurity regulations for smart cars are also pushing the industry to accelerate the pace of "volume security". In fact, in order to better deal with the cybersecurity threats faced by ICVs, the mainland has successively issued a number of ICV cybersecurity policies, laws and regulations, and industry standards on the basis of higher-level laws such as the Cybersecurity Law and the Data Security Law.
For example, in March 2022, the Ministry of Industry and Information Technology issued the "Guidelines for the Construction of Internet of Vehicles Network Security and Data Security Standard System", proposing that by the end of 2023, a network security and data security standard system for Internet of Vehicles will be initially built, and by 2025, a relatively complete network security and data security standard system for Internet of Vehicles will be formed.
In addition, Continental has successively issued regulations and standards such as "Several Provisions on Automotive Data Security Management", "Security Requirements for Automotive Data Processing of Information Security Technology", "General Technical Requirements for Automotive Information Security", and "Technical Requirements for Vehicle Information Security", gradually forming a security framework for smart cars.
Other countries around the world are also enacting cybersecurity regulations. For instance, in November 2023, India proposed a mandatory vehicle manufacturer security framework called "CyberShield". The plan, which is supported by the Minister of Road Transport, aims to strengthen the protection of vehicle systems against cyber vulnerabilities, extending to the protection of electric vehicle charging stations.
In August 2023, the California Privacy Protection Agency (CPPA) launched an enforcement initiative to review the vast amounts of data collected from connected vehicles through built-in apps, sensors, and cameras. The CPPA aims to ensure transparency for original equipment manufacturers (OEMs) and protect consumer data rights.
Fourth, give a score for smart car safety?
The increasingly perfect network security policy and regulatory system has laid a solid foundation for the development of the smart car industry, and also provided the underlying logical support for the security scoring of smart cars. So how to carry out risk assessment and safety level determination?
Zeng Jie, senior security manager of Tencent Cloud, said that Tencent already has the basis for scoring smart cars. Tencent Security has realized that the overall prevention and control of the whole link can be carried out through different product modules in the cloud, and the overall security of smart cars can be scored in the process of prevention and control.
For example, a web application firewall can be deployed in the cloud to sort out and score common threat intelligence in the industry, and as long as the car company enables the cloud security control center, it can naturally sort out the assets and score the existing security situation. The same is true on the car side, where you can even score the development environment.
In other words, from a technical point of view, relying on Tencent Security's huge threat intelligence system, scoring smart car network security like "crash test" can already be achieved, and what is lacking is nothing more than more official third-party evaluation agencies and some industry regulations and standards issued by the state.
In general, from the user side, the tolerance for privacy leakage is getting lower and lower, just like smartphones, privacy protection will become a new selling point; from the perspective of car companies, contactless network attack control vehicles have already been realized, data compliance pressure is increasing, the attack surface exposed to the Internet is expanding, and it is urgent to rapidly improve the network security capability level of smart cars; from the perspective of policies and regulations, data security, Vehicle cybersecurity regulations are constantly improving, and compliance requirements are becoming more stringent.
The second half of the intelligent new energy vehicle has kicked off, and "safety will be one of the important directions". So in the field of network security, how should smart car manufacturers "roll" up to fly their peers? It is obviously not cost-effective to rely entirely on the car companies themselves, and it is undoubtedly a better choice to find a "Bosch" in the network security industry and let professional people do professional things.