By Ling Cheng (Senior Product Marketing Manager)
In the first installment of our two-part series of blog entries, we discuss the benefits that the software bill of materials (SBOM) can bring to the software-defined vehicle (SDV) ecosystem. In this blog entry, the second installment, we take a look at how taking advantage of the SBOM can significantly enhance software supply chain security.
As connected vehicles increasingly rely on complex software systems, industry reports predict the share of software components in their overall structure to go up from 10% at present to 40% in the future. This expected increase in software share will lead to a corresponding rise in potential vulnerabilities that malicious actors could exploit.
In line with this, the automotive industry has witnessed a surge in the adoption of the SBOM in recent years, with some countries and regions actively contemplating its inclusion as a regulatory mandate. This development underscores the critical role of the SBOM as a fundamental requirement for conducting vulnerability analysis in the automotive industry.
Addressing software vulnerabilities, therefore, has become more important in the automotive industry, given how dire the consequences of security breaches can be. There is urgency in proactively tackling software vulnerabilities in vehicles to ensure the safety of drivers and passengers, which is a precondition for the ecosystem to thrive.
Uncovering hidden risks in the automotive industry
We discuss in the following examples how some overlooked vulnerabilities can lead to potential safety issues:
- Denial-of-service (DoS) attack to crash an in-vehicle infotainment (IVI) system: A vulnerability, designated as CVE-2023-34733, in Volkswagen Discover Media Infotainment System Software could allow an attacker to use a USB device with a malicious media file to perform a DoS attack on an unpatched system. Even if one unplugs the USB device or turns off the car, the IVI system will not return to normal. If the breach persists, the attack could proceed to execute arbitrary code that displays a distracting pop-up message on the vehicle screen to scare the driver, potentially endangering their safety.
- Vulnerability exploitation to control an IVI system without credentials: A vulnerability assigned as CVE-2022-24595 was identified in Automotive Grade Linux Kooky Koi 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, and 11.0.5. Attackers could exploit this vulnerability to access an IVI system with Wi-Fi connection, potentially enabling them to control the on/off advanced driver assistance system (ADAS) switch or steal video files in the IVI system. Malicious actors don’t need user credentials or user interactions to perform this attack.
- Vulnerability exploitation to manipulate vehicle functions: Attackers could create rogue Wi-Fi hotspots to get DHCP (Dynamic Host Configuration Protocol) information and then exploit stack overflow attack and privilege escalation vulnerabilities to gain remote control of Tesla’s infotainment system and manipulate vehicle functions through the CAN bus to get control of door and trunk functions. Malicious actors exploited CVE-2021-26675 and CVE-2021-26676 for this attack.
The automotive supply chain, which encompasses an extensive network of more than 20,000 suppliers, adds another layer of complexity to the security challenge. Each link in the supply chain represents a potential entry point for cyberattacks. Identifying and managing vulnerabilities in this intricate ecosystem is a concern that requires immediate attention.
The laborious task of tackling current automotive software vulnerabilities
How does the automotive industry handle cyber risks at present? When vulnerabilities emerge, the product security team initiates the process by gathering vulnerability information and comprehending the potential impact on the organization’s system. The team then employs existing vulnerability scan tools to identify products that use the affected source code. However, because of the lack of an SBOM, manual inspection becomes necessary not only to determine the extent of impact for each vulnerability but also to trace which customers are affected by these products.
As a result, this approach demands substantial time and manpower. Also, when multiple vulnerabilities arise from different manufacturers, prioritizing resource allocation becomes an even more challenging task. In such a complex scenario, how can organizations efficiently manage the workload?
To cope with these challenges, a growing number of organizations have been pursuing the adoption of an automated system that works around the clock and can provide updates on their security stance and a comprehensive knowledge of vulnerabilities within the product ecosystem. The SBOM has emerged as the most promising solution among available options at present.
Letting SBOMs help manage risks automatically
SBOMs provide transparency, enabling swift identification of affected components for targeted incident response and efficient mitigation. Automating SBOM generation and validation helps achieve supply chain security by gaining full visibility into vulnerabilities during development and deployment.
Here are two approaches that organizations can integrate into their workflow:
- Integrate SBOM workflows as part of the modern software development life cycle. This approach directly integrates with continuous integration and continuous deployment (CI/CD) processes, utilizing SBOM data and assessments to ensure swift detection and mitigation of potential threats. VicOne’s vulnerability management platform, xZETA, facilitates this process seamlessly by integrating it into the CI/CD workflow. xZETA automatically extracts the SBOM and context information from open-source code after the build. The platform then conducts a vulnerability scan and promptly notifies engineers of any detected vulnerabilities.
Figure 1. Integrating xZETA as part of the software development life cycle
- Implement SBOM generation and continuous vulnerability monitoring across the V-model for automotive software development. This approach is suitable for organizations that use a linear and sequential methodology such as the V-model. In the V-model of automotive manufacturing, the stages that require software vulnerability scanning are:
- Design phase: This refers to conducting vulnerability scans during software development to identify and rectify potential weaknesses early in the process.
- Implementation phase: This refers to performing vulnerability scans during the integration of software components to ensure a secure and robust system.
- Verification phase: This refers to continuous scanning for vulnerabilities during testing and validation to detect and address security issues before deployment.
- Production phase: Done prior to deployment, this refers to conducting thorough vulnerability scans to ensure the software is free from potential security risks.
- Post-production phase: This refers to regularly conducting vulnerability scans during the vehicle’s life cycle to address new threats and maintain a secure software environment.
- Implement SBOM generation and continuous vulnerability monitoring across the V-model for automotive software development. This approach is suitable for organizations that use a linear and sequential methodology such as the V-model. In the V-model of automotive manufacturing, the stages that require software vulnerability scanning are:
Figure 2. Integrating xZETA into the V-model for automotive software development
VicOne’s xZETA can help you from the implementation phase to the post-production phase. You can simply update your firmware or binary to our cloud-based vulnerability management platform (SaaS model) to create SBOMs and to identify both known and undisclosed vulnerabilities, malware, ransomware, advanced persistent threats (APTs), and backdoor attacks. If you want to keep your firmware within your company (hybrid mode model), you can integrate xZETA into the CI/CD workflow (as illustrated in Figure 1).
Figure 3. Integrating xZETA using the SaaS model or the hybrid mode model
In conclusion, understanding and mitigating software vulnerabilities is vital to establishing a solid cybersecurity stance in the automotive industry. Embracing the power of the SBOM can significantly strengthen software supply chain security, ensuring safer and more reliable connected vehicles for everyone on the road.
Contact VicOne now to begin your SBOM journey for free.