Threat of cyber attacks on connected vehicles – insights from cybercriminals’ underground forums

September 11, 2023

Automotive suppliers still have time to arm themselves and their customers against potential digital attacks

Technological improvements in vehicle automation and connectivity have contributed to the rapid development of new smart features in connected cars. Connected cars have thus become prolific data generators: Starting with data on geolocation, speed, acceleration, engine performance, fuel efficiency and other operational parameters. According to a report by the consulting firm McKinsey, a connected car processes up to 25 gigabytes of data per hour. Due to the enormous amount of data collected and the fact that they are constantly connected to the internet and use so many apps and services such as over-the-air software updates, vehicles can now be described as “smartphones on wheels”.

These facts make vehicles an increasingly attractive target for complex cyber attacks. In this paper, experts from automotive cybersecurity provider VicOne and its parent company Trend Micro look at statements made in global underground forums used by criminals. They analyse what these say about current cybercrime against connected vehicles as well as potential future threats. The experts explore what automotive manufacturers and suppliers worldwide should be doing today to prepare for the inevitable transition from today’s manual hacks for the purpose of vehicle modification, to tomorrow’s much more dangerous cyber attacks.

Current and future attacks on connected vehicles

For some time now, security researchers have been engaging in creative attacks on or proof-of-concept exploits for connected vehicles in forums, and there are early reports of such crimes, such as a car theft in July 2022 that was enabled by a technique known as CAN injection. But the only “attacks” on connected vehicles discussed in underground forums seem to fall under the category of vehicle modification (“car modding”). In this case, the perpetrators hack embedded vehicle functions, for example to activate functions that are supposed to be chargeable (such as heated seats) or to artificially reduce the mileage. While these manipulations reduce the profits of automotive original equipment manufacturers (OEMs), they do not actually target users of connected cars, so it is unclear whether modding activities can be classified as “cyber attacks” at all.

Currently, if a conventional (non-connected) car is stolen, criminals have the following options:

  • Resale of the car in the country itself. In industrialised countries, however, this hardly ever happens, as the vehicles can be easily traced and the perpetrators thus threatened with arrest.
  • Exporting the car to another country.
  • Dismantling the car and selling the spare parts.
  • Using the car for criminal offences, e.g. as a getaway or ramming vehicle for robberies or for transporting drugs.

When stealing a networked car, the possibilities are quite different:

  • Networked cars are constantly online, which means they are easily trackable. Stolen connected cars have a high recovery rate, such as Tesla with a recovery rate of almost 98% . So, thieves of connected cars have a hard time finding buyers for a stolen vehicle because law enforcement can locate it quickly. Should the criminals manage to take the car offline – which is not easy, but theoretically feasible – the chances of resale are also slim, as buyers cannot access certain features.
  • Connected cars require the creation of individual user accounts to manage their online functions. By accessing these user accounts, attackers could gain partial control over the vehicles and would have the ability, for example, to unlock the doors or start the engines remotely. This scenario opens up new possibilities of abuse for criminals, such as appropriating the user identity and buying and selling user accounts, including possible sensitive data.
  • By gaining unauthorised access to a vehicle user account, cybercriminals could also locate and open a car, steal valuables, find out the owner’s home address and learn when the owner is not present. To make the best use of this information and expand their illicit business, they can collaborate with traditional criminal gangs in the process, as in the infamous Carbanak and Cobalt malware attacks that targeted more than a hundred establishments worldwide and netted the gang network more than a billion euros.

The cybercriminal underground market for networked car data

As part of their research, the experts at VicOne and its parent company Trend Micro examined underground cybercriminal forums with regard to attacks on OEMs. So far, they have only found cases of compromised automotive networks and the sale of VPN access. So currently, the forum discussions only show typical approaches to monetising IT resources that are unrelated to the data collected and retained by OEMs on connected vehicles. This suggests that cybercriminals have not yet recognised the value of connected vehicle data or an identifiable market demand for such data.

However, it is likely that this phase will not last long and that connected car data will become very valuable when third-party providers start to use vehicle data on a large scale. For example, if a bank uses vehicle data to determine the terms of a loan extension or the value of a vehicle, this information will take on a new value and the ecosystem of connected car data will expand significantly. Cybercriminals should be able to notice this very quickly, and probably quickly try to capitalise on this material. All the pieces of the puzzle and the technologies to exploit them are already on their way. It is only a matter of time before criminals discover this lucrative field of activity for themselves and begin their illegal activities.

Data protection for users of connected cars

Criminalists often refer to the so-called “crime triangle” when investigating crimes, which states that there must usually be a motive, a justification and an opportunity for a crime. Currently, users of connected cars are not yet the target of cybercriminals, as they do not yet make up the majority of the total car market. But their numbers are growing steadily, and the opportunities to exploit connected cars already exist. Cybercriminals already know how to skilfully and successfully use methods such as phishing, information theft and keylogging in other areas. Cybercrime against connected cars will increase as cybercriminals figure out how to profitably exploit existing vulnerabilities.

Currently, the biggest security risk lies in protecting the data of connected car users rather than the cars themselves. However, this could change in the next three to five years as the connected car ecosystem inevitably expands.

For original equipment manufacturers and cybersecurity experts, this means that securing data from connected vehicles is of paramount importance, even at this early stage, especially given that typical industry development cycles are three to five years or more. One way to do this is to implement multi-factor authentication on connected vehicle user accounts to provide an additional layer of protection.

As mentioned earlier, cybercriminals have many ways to gain access to vehicle user data. These include using malicious in-vehicle infotainment (IVI) apps and exploiting insecure IVI apps and network connections. OEMs can use smart cockpit protection solutions to detect and block malicious apps in time. In addition, attackers can use unsecured browsers to steal private data. As a protective measure, connected car users can opt for smart cockpit protection solutions that regularly scan for vulnerabilities in web browsers and warn users in time to avoid accessing malicious websites.


OEMs and their suppliers, weighing how to invest their budgets in the face of many competing priorities in the automotive industry, may be inclined to curb their investments in combating cyber threats that have been relatively simple and not particularly damaging. However, an analysis of criminal messaging on underground forums shows that the stage is set for multi-layered, widespread attacks in the coming years. For the automotive industry, with its usual development cycles of three to five years or more, this means that it is already time to set up cybersecurity capabilities with foresight.

Author: Rainer Vosseler, Manager, Threat Research at VicOne

Related Articles

Mobile Road Blocker M30 from Hörmann

Mobile Road Blocker M30 from Hörmann

Flexible and certified protection for events Public festivals, music events or Christmas markets - open-air events require appropriate security concepts to provide the best possible protection for the people on site. An important part of this concerns the protection...

Share This