The Internet of Vehicles (IoV) is a new industrial form that deeply integrates next-generation information technologies such as 5G, artificial intelligence, big data, and cloud computing with the automotive, electronics, and road traffic fields. It serves as an important carrier for accelerating the development of new productive forces and building new competitive advantages for the country.While the IoV accelerates the transformation and reshaping of the automotive industry, it has also brought about a complex and changing new network security environment and security risk challenges, which raise higher demands for network security protection capabilities and system construction, urgently requiring enhancements in response from technical, standard, management, and industrial aspects.
▍1. Accelerated Technological Evolution Leads to Complex Changes in IoV Security Environment
Currently, technologies such as 5G, big data, high computing power, and large models are accelerating their integrated applications in the IoV field. The network communication capabilities, perceptual computing levels, and innovative business applications of the IoV are all rapidly developing. Meanwhile, the network security environment of the IoV is also evolving, with more security demands, higher protection requirements, and broader protective scopes.
(1) Diversification of Network Communication Paths
Firstly, the communication interactions between vehicles, roads, and the cloud have significantly increased. Predictions indicate that by 2024, the total number of global 5G base stations will exceed 4.8 million, with nearly 10,000 roadside connected devices installed. According to Statista, by 2025, over 400 million connected vehicles will be operational globally. As the integrated application of vehicles, roads, and clouds progresses, the information exchange between vehicles and vehicles, vehicles and roads, vehicles and clouds, and vehicles and devices is becoming increasingly close. Secondly, the communication capabilities of vehicles and satellites continue to enhance. Some vehicle models now support bidirectional satellite messaging and satellite calls in a user-transparent state, achieving a ‘heartbeat connection’ between vehicles and satellites. The complex and diverse communication interfaces and precise real-time communication interactions pose higher requirements for communication security protection.
(2) Intelligent Perception Computing Systems
Firstly, autonomous driving technology is continuously upgrading. According to data from the China Passenger Car Association, in 2023, the proportion of new energy passenger vehicles equipped with Level 2 or higher assisted driving functions reached 55.3%. Autonomous vehicles from companies like Waymo, Cruise, Mobileye, and Aurora are being tested or trial-operated in cities across the US, Japan, and Singapore. Secondly, the perception capabilities at the vehicle end are rich. Most intelligent connected vehicles are equipped with high-definition cameras, millimeter-wave radar, and high-precision positioning devices, generating 100MB of data per second per vehicle, becoming centers for massive data aggregation. Thirdly, software-defined vehicles are accelerating. The number of electronic control units (ECUs) embedded in intelligent connected vehicles has significantly increased compared to traditional vehicles, reaching over 150. High-end vehicles now have software code volumes reaching hundreds of millions of lines. As the cockpit of the vehicle merges into the driving domain and the vehicle system evolves towards cross-terminal interconnectivity, the risks related to computational security, perception security, and software code security are continuously increasing, making it significantly more challenging to ensure system security and reliability.
(3) Rapid Iteration and Expansion of Business Applications
Firstly, IoV services are increasingly expanding towards complex businesses such as online software upgrades (OTA), vehicle status monitoring, and fleet scheduling. For instance, with the centralization of automotive architecture, the coverage of automotive OTA upgrades is continuously expanding, and the upgrade speed and performance are also rapidly improving. Globally, more than 100 million automotive OTA implementations have been completed, with some models reaching OTA frequencies of once a month. Secondly, automotive production network collaboration is becoming tighter. The automotive industry is evolving from mass production to intelligent manufacturing with full interconnectivity and collaboration, with the manufacturing system gradually developing towards cloud-based collaboration, tightly connecting upstream and downstream supply chain resource networks. The security elements of the IoV extend from individual vehicles to the cloud, production lines, and other multi-linkages, continuously expanding the boundaries of security protection.
▍2. New Trends in IoV Security Threats
With the rapid development of the industry and the continuous changes in the security environment, the targets of IoV attacks have become more generalized, the methods of attack more diverse, and the attack paths cross-domain and composite. IoV security threats are gradually transitioning from the laboratory to the real world, potentially leading to consequences such as vehicle control, data leakage, and operational interruptions, profoundly impacting social stability and people’s production and life.
(1) From the perspective of attack targets, service platforms have become the focus of attacks
IoV service platforms have characteristics such as diverse business types, high data value, and simple network architecture. Compared to numerous in-vehicle attack vectors such as ECUs, sensors, information exchange systems, and application program APIs, attacking IoV service platforms is less complex and more cost-effective, making them a primary target for IoV attacks. In September 2023, ORBCOMM, a provider of freight and fleet management solutions in the US, fell victim to a ransomware attack, causing thousands of users on its platform to be unable to record driving times or track transportation statuses. According to monitoring data from the China Academy of Information and Communications Technology, there were 8.05 million attacks targeting IoV service platforms in 2023, a year-on-year increase of 25.5%.
(2) From the perspective of attack methods, remote attacks have become mainstream
The rich and diverse network connections such as 4G/5G, V2X, Wi-Fi, Bluetooth, and satellite communication have greatly expanded the channels for network attacks. Ransomware attacks, unauthorized access, and virus implantation methods have rapidly penetrated the IoV field, with the proportion of remote attacks increasing quickly. In August 2023, Ford announced that its vehicle Wi-Fi module had a buffer overflow vulnerability affecting certain Ford and Lincoln vehicles. Automotive cybersecurity company Upstream Security reported that over 95% of the automotive attack threats monitored in 2023 were conducted remotely, with 70% of remote attacks being carried out from long distances. As autonomous driving technology becomes more widely applied, the risks of sensor deception and interference will also continue to increase.
(3) From the perspective of harmful consequences, risks to vehicle operational safety, network security, and data security are intertwined
Firstly, the risk to vehicle operational safety is increasing. In February 2023, the China Academy of Information and Communications Technology detected access control flaws in a certain automotive IoV service platform, which could be exploited to gain remote control access to vehicles, enabling unauthorized unlocking of doors and starting of vehicles. Secondly, the risk of data leakage is severe. In May 2023, Toyota admitted that its database of Japanese car owners had been ‘widewide open’ for nearly a decade, exposing the vehicle data of approximately 2.15 million Japanese users to leakage risks. In September of the same year, Mazda stated that its server had been illegally accessed by external attackers, leading to the leakage of 100,000 sensitive pieces of information. Thirdly, the resilience of the supply chain faces challenges. In January 2023, upgrade packages for the vehicle systems of brands like Hyundai and Kia were found to have signature flaws that could be exploited to implant backdoors and inject CAN messages.
In February 2024, US President Biden issued a statement on “Addressing National Security Risks in the Automotive Industry,” aimed at preventing risks related to cross-border data transmission and remote vehicle control, strengthening scrutiny of automobiles and automotive technologies imported from China. This restriction on China’s automotive industry indicates that intelligent connected vehicles have become a focal point in global strategic competition and highlights the importance of IoV security. The task of building IoV security capabilities in China has become even more urgent.
▍3. Positive Progress in IoV Security Development
To effectively prevent and respond to IoV security risks, in recent years, the Ministry of Industry and Information Technology and other departments have deeply implemented the decisions and deployments of the Central Committee of the Communist Party of China and the State Council, strengthening policy supply, security management, and industrial services. Automotive companies, basic telecommunications enterprises, research institutions, and cybersecurity companies are actively enhancing collaborative construction of security capabilities. Through joint efforts, positive progress has been made in the development of IoV security.
(1) Intensive policy issuance, significant enhancement of institutional guarantees
A series of policy documents, such as “Notice on Strengthening Network and Data Security Work for the Internet of Vehicles,” “Several Provisions on the Management of Automotive Data Security (Trial),” “Interim Measures for Data Security Management in the Industrial and Information Technology Field,” and “Notice on Conducting Pilot Work for the Access and Road Testing of Intelligent Connected Vehicles” have been successively issued, systematically deploying IoV security work around key areas such as vehicle terminals, networks, platforms, and data, guiding enterprises to fulfill their primary security responsibilities. Key systems such as IoV network security protection, risk monitoring and reporting, important data reporting, data export assessments, and vulnerability remediation are gradually being established, accelerating the improvement of the IoV security regulatory system.
(2) Orderly construction of standards, stronger normative guidance
Implementing the “Guidelines for the Construction of Security Standards for the Internet of Vehicles,” the National Technical Committee for Standardization of Communication and the National Technical Committee for Standardization of Automobiles are accelerating the development of urgently needed important standards. As of now, four vehicle-end safety standards and more than ten platform safety standards have been published and implemented, and the technical review of the national mandatory standards for automotive information security has been completed, promoting the establishment of three recommended national standards for IoV service platform protection, online upgrade security, and security management platform interfaces, with more than 30 other IoV security standards under research, covering key links such as in-vehicle connected devices, network communication, data security, application services, and support guarantees, leading the comprehensive development of IoV security through standards.
(3) Active technological innovation, gradual establishment of industrial ecology
Supported by special tasks, major projects, and pilot demonstrations, key technologies such as in-vehicle security chips, encryption and authentication modules, in-vehicle intrusion detection, and IoV security operation centers have achieved breakthroughs. The China Academy of Information and Communications Technology and other organizations are also exploring the construction of comprehensive safety testing grounds for the IoV, creating a one-stop safety inspection capability, conducting network security capability evaluations for over ten vehicle models, and helping to enhance the safety level of automotive products. Meanwhile, the IoV Security Collaborative Innovation Alliance has been officially established, gathering over 130 units from automotive companies, basic telecommunications enterprises, cybersecurity companies, and research institutions to jointly promote collaborative innovation and application exploration in IoV security, fostering the cultivation of an industrial ecology.
(4) Rich security practices, accelerated capacity building of enterprises
Automotive companies and cybersecurity enterprises are enhancing their investments and layouts in IoV security, collaboratively carrying out security practices across vehicles, roads, clouds, and networks. Qihoo 360 has launched in-vehicle intrusion detection systems, IoV security situational awareness platforms, and cloud data security solutions focusing on vehicle and cloud protection. SAIC Group has implemented content identification, auditing, and control measures covering the entire data lifecycle to enhance data security protection capabilities. CloudChase Future, in collaboration with Dongfeng Commercial Vehicle and the National Intelligent Connected Vehicle Innovation Center, has established a joint innovation laboratory for integrated vehicle-road-cloud systems and is working with Didi to develop L4 level safety solutions, aiming to create benchmarks for high-level autonomous driving safety.
However, compared to the complex and severe IoV security situation, there is still a significant gap in the overall security protection level of the IoV, and the construction of security capabilities faces many problems and challenges, mainly reflected in the following five aspects. Firstly, the security awareness and protection capabilities of enterprises are weak, and the phenomenon of “focusing on development while neglecting security” still exists. The funding for cybersecurity and the scale of personnel allocation are insufficient, and most enterprises have not yet established systematic network and data security protection capabilities, facing challenges such as ineffective upward transmission of security responsibilities in supply chain network security management. Secondly, the supply capacity of specialized security products needs to be improved. The storage, computing, and deployment space of in-vehicle systems are limited, and general network security solutions need to be tailored or even reconstructed to meet the requirements of the in-vehicle environment, which involves high customization, long R&D cycles, high costs, and significant adaptation workloads. Thirdly, there is a lack of standard testing and verification capabilities. The construction of domestic simulation testing, field testing, and road testing environments related to IoV security is still in its infancy, making it difficult to systematically conduct effective verification of standard requirements, core indicators, and inspection methods. Fourthly, the supply of public service capabilities is insufficient. There are relatively few specialized IoV security teams and service organizations, and there is a lack of capabilities in threat intelligence, risk warning, and emergency response. Fifthly, there is a large talent gap. IoV security requires interdisciplinary and composite talents who understand both cybersecurity and communication, networking, electronics, and automotive fields, with high requirements for knowledge reserves, professional abilities, and practical experience, leading to a severe shortage of talent in security management and technology.
▍4. Recommendations for Strengthening IoV Security Capability Construction
In response to the aforementioned problems and challenges, it is urgent to gather the strength of all parties in the industry, adhere to the coordinated development of security and safety, and promote the construction of security capabilities in terms of systems, standards, technology, and industry, accelerating the establishment of a high-level IoV security protection system and creating a trustworthy industrial ecology to effectively prevent major security risks and safeguard the high-quality development of the IoV industry.
(1) Implement security responsibilities and enhance risk prevention levels
The key to IoV security lies in the various entities of the industrial chain. Enterprises should implement the requirements of laws and policies such as the “Cybersecurity Law,” “Data Security Law,” and “Notice on Strengthening Network and Data Security Work for the Internet of Vehicles,” establishing and improving internal network and data security management systems, fulfilling responsibilities for network security grading and filing, hierarchical protection, data protection, data export assessment, vulnerability remediation, and incident reporting for IoV service platforms. Allocate sufficient security personnel, establish chief security officers, and enhance collaboration with departments such as network security, information technology, R&D, production, and compliance. Strengthen management of upstream and downstream suppliers, improve supply chain resilience and reliability, and enhance collaborative risk response capabilities. Increase funding investments and strengthen the deployment of protective measures for important facilities, platforms, and data, promptly addressing security vulnerabilities.
(2) Accelerate innovation breakthroughs and enhance technical protection levels
In response to security demands related to front-end perception, network communication, vehicle control, edge services, and intelligent facilities, strengthen technological breakthroughs and promote the development of a batch of security technology products. Proactively layout research and pilot experiments related to large model applications, integrated vehicle-road-cloud systems, and satellite communication networks. Encourage automotive companies to collaborate with cybersecurity companies to establish IoV security operation centers, enhancing threat monitoring and emergency response capabilities. Accelerate the construction of public service platforms for IoV security, strengthen connections and interactions with enterprises, and enhance security threat information sharing and collaborative protection to prevent risks such as network attacks, data leakage, illegal transmission, and unauthorized access.
(3) Strengthen standard development and enhance normative guidance levels
Accelerate the improvement of the IoV security standard system, promote the development and practice of key urgently needed standards such as vehicle information security, service platform security, and OTA security. Actively participate in standardization work with organizations like ITU, ISO, and WP.29, promoting the development of key standards and enhancing the discourse power of standard rules. Conduct standardization activities through the IoV security task force of the China Communications Standards Association, guiding enterprises to meet standards. Accelerate the construction of IoV security testing grounds, build comprehensive one-stop security testing capabilities, conduct evaluations and awards for vehicle network security capabilities, and promote the enhancement of vehicle safety levels.
(4) Strengthen the industrial ecology and enhance service guarantee levels
Leverage platforms such as the IoV Security Collaborative Innovation Alliance to deepen communication and collaboration across the industrial chain, supporting high-quality R&D and the industrialization of results. Summarize and refine excellent practices in IoV security, creating a number of replicable and scalable solutions to expand the supply of high-quality and efficient security services. Hold high-level IoV security drills, competitions, and training sessions to enhance the cybersecurity awareness and skills of practitioners, cultivating composite talents who understand products, manufacturing, testing, equipment, and security, continuously strengthening the security talent guarantee.
This article was published in the February 2024 issue of China Information Security.
Authors | China Academy of Information and Communications Technology Wei Liang, Xie Wei, Zhao Shuang, Ke Haoren
