In 2022, a German security researcher disclosed that he had gained remote control of over 25 electric vehicles. In doing so, he was able to access numerous onboard features of these vehicles such as querying the vehicle location, disabling security features, unlocking doors, and starting the engine. The security flaw that allowed this break was not with the vehicle’s system itself, but presented by an open source companion application. Utilizing a self-hosted web dashboard, this app allows hobbyists to remotely monitor their vehicles after entering a valid API key. This app left hundreds of dashboards exposed to the internet with insecure configurations, allowing actors to obtain access, extract API keys, and persist remote control.
This example is in no way an isolated incident in an exploding market of increasingly connected and software-defined vehicles. Providing constant connectivity through wifi and cellular technology, these cars become targets for threat actors. The political, financial, and reputational risks are exponential as manufacturers become exposed to these threats. Manufacturers must ensure vehicle system safety to prevent these accidents, personal harm, vehicle mis-operation, or other compromises. As a result, the Vehicle Security Operation Center (vSOC) has rapidly emerged. With Splunk’s mission of digital resilience, we are partnering with manufacturers to accelerate this transformation and enable the vSOC.
Premium vehicles today are as much advanced connected computer systems as engines and wheels. These software-defined vehicles contain over a hundred million lines of code distributed among electronic control units (ECUs), sensors, cameras, radar, and lidar devices. Adding to this, onboard infotainment systems are powered by advanced APU or GPUs, featuring up to 10 teraflops of compute horsepower. All of this together allows vehicle manufacturers to differentiate based on the digital experience they provide.
Ultimately, software-defined-vehicles are the most complex software platforms that consumers are likely to purchase. As a result, they open themselves to a diverse range of potential attack vectors. API attacks such as the example above have grown by 380% in 2022, representing 12% of known attacks. Unlike our previous example, most attacks are carried out by black hat actors.
Where the Rubber Meets the Road
So where does Splunk fit in this picture? Manufacturers typically start by building their vehicle application environment in the cloud using a cloud services provider. This allows for communication and control of millions of vehicles in motion. Helping to monitor and secure this environment, numerous cloud native logs will be transmitted to Splunk Cloud for detection and response. Additionally, telemetry from vehicle onboard systems is collected, sometimes by a third party, with logs eventually landing in Splunk for analysis. This gives Splunk a comprehensive view of risk to both the physical assets as well as cloud application environments.
Finally, there is a large ecosystem of third-party services that provide anything from navigation to streaming media directly to the vehicle. Considering there are several examples of gaining remote access to vehicles through these services, Splunk will monitor for signals of compromise via vehicle telemetry.
Driving vSOC Use Cases
Now it’s time to get in the driver seat and solve several important vSOC use cases. Splunk Enterprise Security comes with over a thousand out-of-the-box detections relevant to cloud and endpoint security. And the power of the Splunk platform is the ability to create any use case, from any data, at massive scale. With a nascent vSOC market, no doubt you will be a pioneer. Although the potential is limitless, here are a few examples of use cases that Splunk can drive:
- Utilize machine learning to dynamically monitor for anomalies in the cloud application environment including spikes in API requests, ACL activity, security group activity, bucket deletion, etc…
- Detect potential threat activities against the vehicle’s PKI system by monitoring for malicious hashes in certification communication
- Utilize behavioral anomalies such as “first-time” detections for access to onboard or cloud systems
- Automate the ingestion of domain specific threat intelligence, such as the emerging Auto-ISAC, to detect malicious activity
- Detect attempts to use vehicle related mobile apps from a rooted or jailbroken phone
- Detect remote vehicle operations (i.e. remote unlock) that occur from a location not aligned with the users mobile device location
- Monitor for tampering or unauthorized firmware updates to onboard systems
Finally, there is a key lesson learned in security that can be applied here. To have deep visibility, you must embrace detections across all attack vectors and data from multiple sources. This means you will undoubtedly have more signals than the human eye can handle. A risk centric approach, utilizing Splunk’s Risk Based Alerting capability, allows you to correlate multiple signals into a single high fidelity story. This allows you to cut through the noise and get your vSOC program off to the races.