The car is connected now! But are we safe? Cyber securing the connected car

The car is connected now! But are we safe? The car is connected now! But are we safe? 1 Table of contents 01 05 Indian landscape: connected consumer and connected car How can EY help? 02

What is in it for all stakeholders? ► Connected car to help reduce range anxiety ► Connect dash camera ► Telematics help to bring down insurance claims 04 03 Scenarios of cyberattack: ► In-vehicle infotainment system ► Facial recognition failure ► WiFi hotspot Architecture of connected cars and the risks ► Tampering with ► Mobile application OBD device ► 4G SIM

2 The car is connected now! But are we safe? The car is connected now! But are we safe? 3 Foreword Foreword

Modern automobiles have completely changed, they are A connected car and in-car connectivity have moved from connected, available on demand and mobility is pervasive. being mere buzzwords to becoming an ubiquitous ask by This revolution of automotive connectivity with the Indian consumer. The industry is already focused on Neville M Dumasia humans and infrastructure presents the big challenge – Vinay Raghunath multiple aspects of this transformation which include cybersecurity! Auto manufacturers and hackers have both making connectivity a standard feature (as opposed to India Leader demonstrated the value and perils of this connectivity and Auto Sector Leader being an optional add-on), creating new business and pricing thus it necessitates a sharp focus from all stakeholders in [email protected] models for connectivity solutions and working with regulatory Advanced Manufacturing, the ecosystem – OEMs, regulators, component suppliers, bodies to establish standards to enable a faster roll out. Mobility & Infrastructure insurance companies and even consumers to make the [email protected] connected world safe. We believe that the end consumer’s continuous demand for seamless in-car technology will continue to fuel innovation The EY team is pleased to bring forward thought provoking and collaboration between organizations spanning multiple scenarios and questions we all have to collectively sectors like telecom, internet service providers, automakers answer. We live in a connected world today and in the and component manufacturers. foreseeable future, this trend is likely to increase. Historically, our experience in the industry has largely been around the Most OEMs are gradually expanding their internal use of information technology, which is now supplemented organizational teams to work with these new competency with operational technology. This combined flood of data is areas while also solving challenges related to integrating voluminous, instant and can be open to the outside world. vehicle platform development cycle time with the speed of This evolution opens all of us to the threats of cybersecurity, development in the entertainment, communication and if not managed carefully. information technology space.

As responsible corporate citizens we believe it is the duty Alignment and collaboration across stakeholders in this of all stakeholders in this ecosystem to not only appreciate connected ecosystem will be critical to ensuring that the threats of cyber but to also effectively take steps to consumers continue to experience innovation in connected prevent and mitigate risks. We at EY realize the enormity of vehicles while also trusting the safety, seamlessness, the task at hand, the significant costs involved in terms of relevance and durability of these solutions. training of our people, the broader ecosystem, systems and checks and balances to be incorporated to safeguard our business.

4 The car is connected now! But are we safe? The car is connected now! But are we safe? 5 Section 01 Indian landscape: connected consumer and connected car

6 The car is connected now! But are we safe? The car is connected now! But are we safe? 7 The changing Mobile and Indian consumer technology- enabled At confluence of aspiration and technology… 1

2 Fast and trouble Smart Smart free solutions office transport Changing 5 More patterns of sophisticated in their financial s services needs e A consumers ic I v Smart e Smart health D energy 3

D a s c More demanding: expect ta i t more customization, bo 4 Ro personalization, Smart Smart flexibility and metricity home manufacturing Increasingly looking towards other people Smart for real-time recommendations cities

Paradigm shift in usage patterns “India to grow faster than China in MBB subscriptions and data traffic” During 2019, it was estimated that Active mobile-broadband In 2019, average time spend subscriptions have increased from 57.16 % 144 hours “Focus on content for enhancing customer experience” of the global population, or 268 million per day on social networking 4.3 in 2007 to billion people, will be using 6.3 billion “5G to account for 5% of total connections by 2025” the internet in 2019

Nearly three-quarters of the world will use just their smartphones to access the internet by 2025.

8 The car is connected now! But are we safe? The car is connected now! But are we safe? 9 Transforming the lives of Digital opportunities to drive the 2 billion people next wave of growth in India India’s digital and social media outlook Digital opportunities to drive the next wave of growth in India Growing digital media consumption, in the form of multi-play offerings, is increasing the India to grow faster than China in MBB subscriptions and data traffic data subscriber base for Indian telcos

Video streaming contributes Mobile broadband Smartphone subscription Mobile data traffic/month 70%-80% 79% 93% subscription in India to witness strong growth to grow faster than China of mobile data traffic in India digital media and content of time spent on videos in Hindi and consumption is on mobile devices other regional languages 2018 : 0.5b 2018 : 0.6b 2018 : 3 EB

An average user spends up to 2024 : 1.2b 2024 : 1.0b 2024 : 12 EB 3.2 times 500 million 80% more time on mobile content, people viewed videos online of the content consumed was less CAGR 15% - India CAGR 10% - India CAGR 26% - India than on web in 2019, a growth of 80% over than a year old 2% - China 3% - China 22% - China 2018

India has the largest number of Facebook users in the world Operators have showcased a number of 5G use cases Million, Oct’19 Connected cars RJio and Ericsson demonstrated 5G Airtel demonstrates how connected car and VR-enabled driving IoT can empower drivers through using 5G auto telemetry 183 USA VR based 360 Airtel and Nokia demonstrated VR based 360-degree content that can be streamed degree content in a 5G live environment.

India 269 123 Indonesia Connected Airtel showcased replica of modern connected home with intelligent devices homes and appliances 120 Brazil Mexico 82 BVLOS Airtel and Ericsson showcased cased Beyond Visual Line of Sight (BVLOS) autonomous autonomous drones over 5G networks Daily active users drones on Facebook reached 1.52 billion, up 9% compared to 2019

Source: News articles, Statista 2019 Data, DMR Source: EY knowledge

10 The car is connected now! But are we safe? The car is connected now! But are we safe? 11 Connected features for connected What’s driving the connected car? consumers Intelligent mobility paves new roads for marketers New car technologies are transforming the automotive sector, with major implications for industry players and Focus areas: stakeholder’s watch consumers alike

Financial services Infotainment delivery ► Application and subscriber ► Personalized content delivery ► Over-the-air software updates ► Driver CRM via email and SMS Asia Pacific and Europe Service management web portal ► Asia Pacific & Europe are the major regions where ► Driver smartphone app and portal ► Customer service helpdesk demand for connected cars solutions and ► Customer service helpdesk services is the highest due to various government regulations on vehicle safety.

Electric vehicles Safety and security features ► Battery health and charge status ► Charging location POI reservation ► Automatic crash notification ► Eco-trip planning and navigation ► Crash recording ► Battery charge time scheduling ► Remote alerts and theft tracking ► Remote vehicle immobilization ► Roadside assistance Intelligent vehicle

► Vehicle health reports and notification 5G and AI OTA software management ► Dealer location and service scheduling The enhanced user experience for all connected ► Policy-driven dependency, cars depends on wireless connectivity. Many telecom ► Driver reports and coaching rollback and recovery industry players are developing 5G to increase the ► Driver monitor, limits and alerts safety and efficiency of connected cars. According to ► Standards-based certification, International 5G automotive associations, 68% of authentication and encryption accidents can be avoided with the upcoming 5G ► Dynamic data collection and technology. upgradable analytics

Connected ► Customized consumer notifications vehicle features prompts, and consent

► Connected car programs are ► Leading automakers need to create ► Automakers are increasingly developing becoming increasingly important for connected car experiences that are electric, hybrid and plug-in hybrid differentiating brands and vehicles intuitive, personalized and updatable. vehicles to meet consumer demand from the competition while contributing and comply with current and future to consumer engagement, satisfaction government fuel efficiency mandates. Continued on next page and loyalty for the next purchase. Source: EY knowledge

12 The car is connected now! But are we safe? The car is connected now! But are we safe? 13 Connected cars are poised to become a common phenomenon in India in the near future. And their relevance in the next Connected consumer puts pressure few years is bound to increase with the expected wide-scale adoption of EVs where connectivity features will help owners on all stakeholders for the right locate nearby charging stations and access telematics data strategy among several other things Right business model: stakeholder’s watch

IT infrastructure

Data noise - Customer value Existing business information gap and products portfolios value Connected cars poised to become common Strategy medium/ phenomenon in India short term plans strategy discussions amongst shareholder’s are essential to overcome frictions in the An increase in vehicle legislation Technologies like telematics, By connectivity technology: Existing processes organization, and industry compliances regarding connected and autonomous Cellular segment is expected to convenience features, such as vehicles will play a vital role in dominate the India connected because there are navigation, remote diagnostics, etc. transformation car market are driving the connected a number of key car market questions and issues to be addressed New business

Customer relationship

Source: EY knowledge

Source: EY knowledge

14 The car is connected now! But are we safe? The car is connected now! But are we safe? 15 ...and what the answer The question... should be about

What telematics services will be Identifying initial target market, with a view on Key questions offered (and when)? benefits and costs Are the telematics services technically Understanding the IT landscape, its strength for all feasible in my target market? and weaknesses Are the services commercially viable? What Building up the business plan also to anticipate issues/ stakeholders is the end result (top line and bottom line)? concerns end estimate pricing improvement How are the black boxes / devices installed Keeping a flexible approach ready for and maintained and who will bear the cost? “device independency”

Who will store and analyze the data Understanding the path to develop access (i.e., in-house or outsourced)? to adequate technology and skill

What are current consumer attitudes? Identifying “differentiating services” to avoid What would they expect by telematics? the “commodity pricing trap”

How do I attract new customers without Comparing company’s portfolio and clients cannibalizing my existing portfolio? with market trends and existing threats

What strategic partnerships would Building a vision behind that of a gadget add value to my proposition (e.g., that enhance risk selection, to leverage car dealerships, road side assist service telematics ecosystem providers, technology partners, official bodies)?

Source: EY knowledge

16 The car is connected now! But are we safe? The car is connected now! But are we safe? 17 Connected car ecosystem Multiplicity of services and stakeholders

On-demand Navigation Diagnostics Vehicle-to- infotainment vehicle

Higher bandwidth ► Point of interest, parking ► Vehicle health ► Traffic information ► Route optimization ► Scheduled maintenance ► Driver warnings ► Radio-music, news: live news feed ► Traffic/Journey times ► Recall information ► Pre-emptive actions to avoid and mitigate crashes What are ► Video: on-demand and real-time ► Travel and traffic assistance/ off- ► Service coupons content board route guidance ► Threat and hazard sensing: 360 ► Service scheduling connected degree awareness of the position Other in-vehicle services enabled ► Location-based services ► ► Electrical vehicle: battery charge of other vehicles car end- by cloud computing monitoring/ control services?

Lower Safety and Others bandwidth security

Lower bandwidth ► Roadside assistance ► Usage based insurance

► News, stocks and sports ► Emergency notification ► Fleet management ► Apps store ► Theft tracking ► Payment (tolling, parking, etc.) ► Multimedia, internet services, ► Remote control of vehicle ► In-car health services social networking, etc. environment/ car features ► Embedded financial ► Geo-fencing GPS units

Source: EY knowledge

18 The car is connected now! But are we safe? The car is connected now! But are we safe? 19 Connected car ecosystem (continued) Multiplicity of services and stakeholders…

Service Wireless User Customer delivery network interface support/service architecture (connectivity)

How are ► Telematics service Device-to-vehicle Low speed data Call centers connected platform/access portal services (2G) car services connectivity Online support ► Security services delivered? ► Embedded High speed data services Subscription management ► Content creation (4G/5G or LTE) ► Tethered Charging and billing ► Content aggregation ► Integrated ► Application development Human-machine interface ► Application delivery ► Visual ► Haptic ► Voice

Automotive industry City/State regulators Telematics service Insurance industry provider Vehicle manufacturers Insurance providers ► Telecom ► ► Telematics service ► Auto component ► Telecom operators ► Insurance distributors suppliers platform providers (brokers and aggregators) Stakeholders ► Repairer networks / Device manufacturers Others service centers ► Smartphone manufacturers ► M2M service providers Information technology ► Portable navigation and ► BPO ► Packaged software vendors infotainment device ► Roadside assistance manufacturers ► IT services companies providers

Source: EY knowledge

20 The car is connected now! But are we safe? The car is connected now! But are we safe? 21 We see connected vehicles as a part of the overall mobility solutions landscape Mobility solutions considerations: who, what, why, where and how…

The audience considerations Who of mobility and why “Who is the mobility service designed for and why is it important to them?”

Private Commercial Public (Business to consumer) (Business to business) (Business to government) Urban ► Ride sharing ► Corporate car sharing mobile ► Bus rapid transit solutions ► Car sharing ► Corporate BRT: mobile ► New traffic management tools What working space ► Brand sharing ► Dynamic space pricing the programmatic ► Integrated logistics ► Predictive/optimized aspects or topics Where maintenance and repair within mobility The geographic considerations ► Fleet cost optimization ► Integration of renewable energy ► Share-a-car (with energy needs of the Regional ► Mixed fleet management ecosystem) ► Autonomous driving ► Intermodal solutions “What needs to be Tolls system “Where are people ► Hybrid engines ► considered and/or addressed ► Hybrid engines and things moving ► Intermodal solutions in implementing a to and from?” mobility strategy?” Global ► “World citizens”: people living in ► Material/product logistics ► Connecting journey endpoints the various areas of the world at across major metropolitan areas ► Human capital/people mobility the same time (e.g., cab, train, plane, etc.) ► Corporate dwellers

► What do business and fleet ► What are governments looking ► What do consumers value and customers value and what are to accomplish? How what are they willing to pay for? they willing to pay for? Some key ► What is our city-focused ► How do we prioritize the various ► How do we monetize go-to-market approach? questions for mobility concepts to implement? opportunities for emission ► How can we access new private/ OEMs to reduction targets? ► How do we monetize our public business models to help consider investments in mobility (and ► How integrated is our overall finance new mobility concepts? telematics)? strategy for corporate clients? Source: EY knowledge

22 The car is connected now! But are we safe? The car is connected now! But are we safe? 23 India connected car market Emerging profit pool for the Indian automotive industry

► The key factor driving the growth of the market is the increase in the number of connected features in economy vehicles by OEMs. Additionally, an increase in vehicle legislation and industry compliances regarding convenience features, such as navigation, remote diagnostics and multimedia streaming through various platforms such as Android Auto, CarPlay and MirrorLink are driving the Indian connected car market.

► New safety norms are encouraging automakers to equip the vehicles with safety and security connected features, which in turn is increasing the demand for connected cars.

► Various technologies such as heads-up displays, smart infotainment and telematics systems are becoming an integral part of high-end automobiles.

Connected cars: market dynamics

► Economy car manufacturers attempting to provide luxury features Drivers ► Government initiatives for implementing connected car technology

► Lack of supporting infrastructure Restraints ► Unavailability of standard platforms

► Emerging profit pool for automotive industry Opportunities ► Evolution of the new value chain ecosystem of the automotive industry

► Increase in the threat of data breach and cyber security for connected vehicles Challenges ► Increase in the price of the vehicle with connected services

24 The car is connected now! But are we safe? The car is connected now! But are we safe? 25 Section 02 What’s in it for all the stakeholders: OEMs, suppliers, insurance companies, service providers

26 The car is connected now! But are we safe? The car is connected now! But are we safe? 27 OEMs challenge Technical challenges and opportunity “How will my connected vehicle solutions work?” Technical challenges Commercial challenges “How will my connected vehicle “Where will we make money?” Technology, commercial solutions work?” and operations: are these the big questions?

Adopt software iteration cycles Define the buyer Standardize Enable the seller technology platforms Optimize pricing Select partners

Integrate across vendors Connected car mobility is the 21st century’s biggest opportunity. OEM challenge Deploy and operate will be to find new business robust solution model for“ the connected Build service services and revenue stream infrastructure

will the proof ” Integrate across vendors Som Kapoor Partner, Future of Mobility Som works with automotive OEMs across the country Operational challenges “What’s required to deliver on our promise?”

28 The car is connected now! But are we safe? The car is connected now! But are we safe? 29 Connected vehicles: opportunities Success in connected vehicles and challenges for vehicle requires focus and diligence in manufacturers strategy and execution Internet-enabled, telematics Connected vehicle strategy: Define - Develop - Monitor

From To The first step is to define the fields of play – the focus areas, or points of concern, relative to your overall mobility and telematics program(s) ► Managed as feature/ ► Key element of customer 1 functionality item engagement Assess Strategy Ensuring the alignment of telematics and mobility with overall ► Owned by product ► Application across ownership alignment corporate strategy across different BUs development/engineering lifecycle /Define

► VM branded ► Services-driven value proposition Risk Creating an integrated and dynamic control environment for the connected management vehicle strategy that balances value, cost and risk ► Unclear value proposition Many definitions ► Multi-vendor, multi-brand solutions ► Optional item bundled in exist – we propose Customer Defining the key stakeholder and customer groups a package ► Standard item definition and determining key solution requirements and pricing ► Tight smartphone integration Mobility – moving people and Integration and Effectively integrating and monitoring mobility and telematics things from point A to point B monitoring program efforts and results across BUs

Connected vehicles – After identifying one or more focus areas, the next step is to design and internet-enabled, mobile develop an integrated and holistic connected vehicle strategy equipment 2 Challenges Opportunities Connected vehicle strategy Telematics – Design/ Develop ► Defining value and hardware and ► Differentiate through the willingness to pay for dealers software to connected vehicle experience and customers connect vehicles ► Build direct relationships with Technical ► KISS: keep it simple customers for users ► Use data to improve quality/ ► Organizing for success reduce warranty expense ► Operating a services business ► Increase share of post warranty, customer pay parts and ► Managing partnerships services spend CVS vs. vendors 3 challenges ► Owning and using data and issues Implement/ Monitor

Commercial Operational

30 The car is connected now! But are we safe? The car is connected now! But are we safe? 31 The connected car opportunity: who will provide the New revenue streams for all infrastructure and who will give the content? stakeholders

Unpaid basic packages Paid add-on packages ► Standard onboard function ► Store subscriptions allow unlimited song downloads on-board the vehicle which can ► Determines vehicle chassis details, engine number, Vehicle information package OEM music store be played offline date of manufacturing and all legal attachments

► Locates the nearest OEM dealerships ► Gives entire summary of engine usage and and workshops performance to the user Convenience package Engine diagnostic system ► Records and shares the user feedback regarding ► Monitors idling, average speed, clutch usage, the dealer with the OEM brake usage, acceleration, gear selection, etc. and presents in a report format to the user

► Customizes cabin light colours, instrument cluster lights and button light colours as per ► Onboard engine safety package the desired ambience ► Warnings include gear shift indication, Warning package Advanced safety and rev recognition to avoid engine over revving security package ► Includes vehicle tracking, emergency calling, location sharing and urgent member calling

► On-board engine safety package ► Service track records maintained by vehicle, notifying the user one week prior to the ► Warnings include gear shift indication, Company app downloads Service information package service due date Vehicle books a service rev recognition to avoid engine over revving appointment with the concerned dealer by itself

► Sensors installed by default in the vehicle ► End-to-end encrypted messaging system ► Activation of this package allows user to allowing users to chat with friends using the OEM chat connect Language package monitor tyre pressure chat connect app of the same OEM and also through the vehicles command system. ► Provides choice of setting the desired infotainment language for users unfamiliar with the generally accepted Hindi and English

32 The car is connected now! But are we safe? The car is connected now! But are we safe? 33 Case study on EVs: how can being Case study: shared mobility connected help reduce range anxiety? connected dashcam

Information at the user’s fingertips about charging (Case study 2) infrastructure and timely alerts Current and future Future scenario Nearest charging station and availability for type of charger scenario: connected with connected dashcam 1 dashcam (Case study 1) In case of a car collision

North West 2 2 Rapid charger 1

No solution to notify the accident During the impact, connected Fast charger 2 dashcam will send alert push notification Slow charger 5

3 3 South

Rapid charger 4 Insurance company, police, etc. Connected dashcam, push alert have to rely on the eye witlessness notifications, geo coordinates and Fast charger 6 for the sequence of events event video to insurance company, emergency services and family of the driver Slow charger 8 Benefits ► Reduction in insurance To alleviate range anxiety, the electric vehicle battery will need to be safer, cheaper, premium have faster charging and feature a high energy density for greater range. ► In case not the driver’s 3 fault, no premium increase Peak and off Estimated ► Fleet can reward Connected dashcam, push alert peak pricing waiting time drivers based on the notifications, geo coordinates and driving performance event video to insurance company, (surge pricing) emergency services and family of the driver

34 The car is connected now! But are we safe? The car is connected now! But are we safe? 35 Telematics in claims provide real Core offering of telematics customer protection and drive down insurance and connected dashcam insurance losses Managing customer needs through core offerings Telematics as survivor! Core UBI offering (Case study 3) 1 ► Design usage-based insurance suited for the business individual insurers business and operation model including product design, IT capacity, analytical function, claim management and capital

► As the product is still in its early stage of acceptance, lead the UBIs to understand the target market and test different product offerings Real time data transmission ► Location ► Motion ► Speed Risk selection: driving behavior modifier ► Continuous improvement in risk selection by ► Vin number 2 Reduction of claims cost capturing and analyzing increasingly accurate ► ► Acceleration information about individual driving behavior

► Force of impact ► Actively manage claim costs through real feedback ► Other external environment on driving behavior and instant notification such weather, traffic and road of loss events conditions

Extra information via telematics devices will help manage insurance losses by enabling claims operators to determine the exact circumstance of the claim including nature, type and extent of the damage to the vehicle Product innovation: leverage through value add services, which are as well as the early indication of likely bodily injury 3 highly desired by the customer ► Reduction in underwriting and claim fraud ► Reduces the first notice of loss process ► Provide value-add vehicle services, such as ► Increased revenue and emergency services, breakdown services, theft profitability from non - ► With two-way communication can help identify individuals involved in the accident notifications and early vehicle diagnostic services insurance product ► Improves the accuracy of case estimation damages reducing the uncertainty in property damage and small injury claims ► Additional opportunities exist around integration ► Increased retention for core Telematics enables a superior seamless claims process for a more holistic protection cover for customers platforms, content provision and providing access to insurance product infotainment and navigation/traffic services ► Theft ► Provide vehicle recovery information to customer/police ► Portal functions for new embedded applications, ► Theft alarm is activated ► Avoiding total losses Increasing the product offering such as tracking of stolen vehicles, parental control, with additional services better ► Theft notification to customer infotainment systems and viewer of journeys matches the customer’s needs (emotional and logical) with Accident Breakdown ► Requires support for single point, which is responsible for charging and billing for various the motor insurance product Instant crash / emergency notification Instant notification and location of the vehicle ► ► services; this is a main reason for the increasing (traditionally, a begrudged ► Send relevant emergency services to ► Direct the nearest recovery team directly to involvement of insurers in the value chain purchase) the confirmed location the vehicle ► For insurers looking to become more deeply ► Check customer record and contact family involved in the value chain, strategic alliances in the ► Remain in contract with the customer development of vehicle independent services is an option ► Confirm arrival of emergency service ► Saving lives

36 The car is connected now! But are we safe? The car is connected now! But are we safe? 37 Section 03 Architecture of connected cars and the associated risks

38 The car is connected now! But are we safe? The car is connected now! But are we safe? 39 Architecture of a connected car Overall architecture and implementation view

Network communication Long-range wireless

Intra-vehicle network LTE/GPS Cloud services

Accessibility categories RFID Broadcast services

Application V2I Short-range wireless OEM ECU Operating system V2X Bluetooth Consumer smart devices

Network V2V Wireless network Vehicle

Keyfob Firmware Physical

Physical connection

USB Consumer media devices Controller area network (CAN): ODB-II Programming/ diagnostic device

V2I : Vehicle-to-infrastructure Sensors: throttle position sensor, manifold absolute V2X : Vehicle-to-anything pressure sensor, engine coolant temperature sensor, V2V : Vehicle-to-vehicle oxygen sensor, humidity sensors, etc. RFID : Radio Frequency Identification

40 The car is connected now! But are we safe? The car is connected now! But are we safe? 41 Race of cybersecurity: protecting connected cars The connected ecosystem of Cybersecurity and privacy strategy core considerations - tomorrow’s mobility needs to be Top-down and bottom-up approach

robust and looking at dimension of Business and IT strategy Compliance privacy and safety product strategy Risk Mobility and Emerging appetite Industry trends technologies

Inform Cybersecurity has risen in importance as the automotive industry undergoes a transformation driven by new person- al-mobility concepts autonomous driving, Connected vehicle: vehicle chain strategy vehicle electrification, and car connectivity. results The connected vehicle system will require Assessment a common technical framework for the deployment to address security implications and privacy of driver and passengers, as connected environment. High-impact Strategic vision The emerging V2X landscape (V2V, V2I) enhancements calls for an approach, which takes care of drivers business use cases and as well as regulatory requirements and in

achievement the players have to ensure, consumers interest of privacy at uttermost while maintaining necessary hygiene of cy- Threat Threat

ber security. modeling

R Sundar Enables Partner, Risk [email protected]

Secure vehicle Security vehicle Secure vehicle production design and ecosystem post-production

42 The car is connected now! But are we safe? The car is connected now! But are we safe? 43 Threats and challenges to connected vehicles

Long-range wireless

Intra-vehicle network Cloud services Breach at OEM data centres aimed at stealing customer’s Accessibility categories Broadcast services personal files, disabling vehicle’s operation or Application V2I spreading malicious activities. Short-range wireless OEM ECU Operating system V2X Consumer smart devices Unauthorized access to vehicle internal network Vehicle and infotainment system in order to steal private Network V2V and corporate data, track Keyfob individual vehicles or entire fleets and hijack non-safety and safety-critical function. Firmware Physical

Physical connection

Consumer media devices Physical access and Controller area network (CAN): tampering of OBD device Programming/ diagnostic device leading to compromise of critical functions.

Sensors: throttle position sensor, manifold absolute

pressure sensor, engine coolant temperature sensor, oxygen sensor, communication Network V2I : Vehicle-to-infrastructure humidity sensors, etc. V2X : Vehicle-to-anything V2V : Vehicle-to-vehicle RFID : Radio Frequency Identification

44 The car is connected now! But are we safe? The car is connected now! But are we safe? 45 Assessment of security testing in How big is the problem? connected car India ranked #1 in total number of cyber crime complaints received in 2018 Security oriented implementation of architecture and functions for connected cars 2

Common automotive processes EY framework for vehicle threat analysis 3 1 ► Celluar data/voice 5 Supplier and ► Broadcast services (FM RDS) partner processes ► DSRC ► VANET

After sales Security V2I processes 4 engineering >200 ft and tools V2V V2X 50-200 ft Top five countries by the total number of cyber crime complaints receive > 0 ft Physical S.no. Country Complaint % Total number of complaints received Cyber crime - major Remote threat channels threat Remote 1 India 33.07% 4,556 statistics - 2018 Mobile phone ► US$2.71 billion victim Product 2 United Kingdom 28.8% 3,970 ► Remote unlock losses in 2018 architecture and 3 Canada 20.90% 2,880 Over 900 complaints development ► OBD-II 4 Australia 8.90% 1,227 received per day on ► USB an average 5 Georgia 8.33% 1,144 ► CANBUS

ECU device breakdown Age Complaint % Total Loss (US$m) ► Identification of assets ► Security use cases Application: Applink, CarPlay, etc. to be protected Under 20 9,129 12.5 ► Validation of security Operating system: QNX, Linux, ► Attack risk analysis assumptions 20-29 40,924 134.48 grouping Window embedded ► Security goals ► Test of security 30-39 46,342 305.6 mechanisms and Subcomponent ECU Firmware: Custom fireware ► Security architecture penetration tests 40-49 50,545 405.6 ► Tech. security concept ► Test of security 50-59 48,642 494.9 ► Implementation of security mechanisms and mechanisms penetration tests Over 60 62,085

► Security analysis network Intra-car

Source: 2018 Internet Crime Report, FBI I3C

46 The car is connected now! But are we safe? The car is connected now! But are we safe? 47 Section 04 Attack scenarios

48 The car is connected now! But are we safe? The car is connected now! But are we safe? 49 Quick snapshot: cybersecurity

market for cars.

► The cybersecurity market for cars is being primarily driven by the increasing connectivity of vehicles, increasing adoption of telematics services in automobiles and increasing integration of advanced features.

► The automotive industry across the globe is undergoing a wave of innovation and advancements, with the emergence of ground-breaking technologies, such as the Internet of Things (IoT), enhanced GPS, location and maintenance live recording, reminders, driving assistance and Wi-Fi services, the demand for connected cars has been rapidly increasing, driving the market forward.

► As all the connected vehicles are fully dependent on the connected software for all aspects of their operation, hence, they are vulnerable to a wide range of cybersecurity attacks, which increases the need for a cybersecurity solution, which is driving the market forward.

► With automobiles equipped with in-vehicle infotainment systems and improved wireless-network systems, have boosted the sales of the connected cars in this region, thereby, driving the overall Asia-Pacific cybersecurity market for cars.

50 The car is connected now! But are we safe? The car is connected now! But are we safe? 51 EY cyberattack scenarios Attack vectors: in-vehicle Attacker levels and test scenarios Attackers posses varying levels of skill which we group into four levels as shown in the table below. Against each of the four infotainment (IVI) levels EY has devised a set of test scenarios that we would recommend performing to provide confidence that the component is able to withstand the associated level of attack and associated attack vectors. A process of threat assessment is used to identify the likely attacker, the attack vectors used, their motivations and typical attack targets. Scenario 1

In-vehicle infotainment 1 2 Using the EY Remote attacker Malicious song file Passenger’s phone Assessment EY vehicle Automotive penetration Security Tech reviews testing Framework approach 1 2

3 4 1 The remote attacker sends a The file is sent to a phone which Attacker level Capability Example attack vectors malicious code masked as an has access to the car or is already entertainment file. connected to the IVI system. Beginner ► Has a basic security ► Tries out known attack vectors against the (script kiddie) understanding WiFi of the headunit, e.g., breaks the WEP 3 and brute forces easy WPA keys ► Is able to use public exploits or reproduce trivial security ► Port-scans the head unit and looks for findings commonly known vulnerabilities

► Tries to get firmware images of ECUs online and looks through them directly for strings Connected car device IVI system with credentials Connected via USB cable ► Reads car-hacking papers to reproduce findings of the past or is able to reproduce 4 back-doors which are known on internet forums 2 Exploited Professional ► Profound security understanding ► Opens embedded devices and tries to read Unknowingly the phone owner opens (experienced attacker) and experience the memory chips The attacker now has gained access the file while the phone is connected to the device and can control its work- ► Able to adapt existing exploits ► Uses open debug ports to attach debuggers to the IVI system and the malicious ing and can use its feature to cause code starts running. ► Has some basic hardware-level ► Reverse engineers K-matrixes different types of attacks. exploitation experience ► Identifies simple buffer overflows in firmware which can be accessed via debug interfaces

► Is able to discover multi-hop attack vectors from the car to the IT infrastructure

► Is able to attack RF communication with known flaws in WiFi, GSM and Bluetooth, and well understood busses, e.g., CAN and LIN

52 The car is connected now! But are we safe? The car is connected now! But are we safe? 53 Attack vectors: Wi-Fi hotspot Attack vectors: 4G SIM

Scenario 2 Scenario 3

Wi-Fi hotspot 4G SIM

Anyone in the car with a mobile device can now connect to the hotspot created Remote attacker 4G SIM Device by the device’s Wi-Fi.

Remote attacker Wi-fi Passenger’s phone 2 3

1 2 A remote attacker can try to remotely The 4G SIM stores the video The 4G SIM is introduced in the hack the SIM by getting the encrypt- recordings and the conversation device to enable data transfer to ed key (which can be obtained in a that took place in the car. It also gives cloud storage and to create The device offers the feature of The passenger’s phone is vulnerable number of ways). a hotspot option to the passengers connectivity within the car. Wi-Fi hotspot which creates a to attacks and their privacy is of the car. 4G/LTE enabled secure Wi-Fi hotspot also at risk. that can be used for internet by car passengers.

4

► An attacker can hijack the browsing session and snoop on the websites visited over an LTE connection using an attack called aLTEr.

► Attacker using this exploit in the LTE service can gain access to the mobile device and can use it to spy, spam, track and spoof. Vehicle The device is mounted in the car and having control of the device gives the attacker the control of the car and they can invade the privacy of the owner.

54 The car is connected now! But are we safe? The car is connected now! But are we safe? 55 Attack vectors: mobile application Attack vectors: inside threat (servicing)

Scenario 4 Scenario 5

Mobile application Inside threat

Remote attacker Mobile application Owner’s mobile Car whilst servicing Device Access to device-mounted car

1 2 2 3

A remote attacker can hack the The mobile application can be used ► A service personal can tamper By getting access to the device, application of the device and get by people other than the owner. with the device while the car has the attacker can now has an entrance access to the device as well as the The application itself may have gone for repair or servicing or into the privacy of the owner mobile phone. inherent vulnerabilities which leaves some other work. and the fellow passengers. it susceptible to multiple types They also control various aspects ► They can gain access to the and features of the car too. of attacks, thus rendering the device and hence the car, by device vulnerable. physically tampering with the device, the SIM and other 3 hardware. It can also gain pathway to the software of the system.

4 Connected car device 1

4

Car with device Unknowingly the phone owner opens The device can have a mobile the file while the phone is connected application which the owner can use to the IVI system and the malicious to monitor the device, the car and code starts running. get real time alerts.

Physical attack

56 The car is connected now! But are we safe? The car is connected now! But are we safe? 57 Attack vectors: insider threat Attack vectors: insider threat (OBD port)

Scenario 6 Scenario 7

Face recognition software Device Car Debug port Device Vehicle

2 3 3 4

Face recognition software The attacker can fool the software Once the software mistakenly gives Debug contains two CAN bus An attacker can gain access to the Gaining access to the device thus identifies the driver from the list by using disguise or by sending a access to the attacker, they have ports which allows microcontrollers device by plugging in a malicious gives the attacker access to the car. of familiar drivers added to the counter code to the device to access the control of the car. and devices to communicate code via the debug port. account and then only give the facial recognition software. with each other. him/her access to the car.

5

1 4 2

1

Computer needed to connect to debug port

Physical attack Malicious attacker

58 The car is connected now! But are we safe? The car is connected now! But are we safe? 59 In conclusion…

► The rapid increasing connectivity, the increasing number of electronic control units and lines of code have increased the complexity of products, thus, the concerns for security solutions are on the rise.

► The advancement of AI technology can seriously address cyber related issues and help companies in providing solutions.

► Developments in automobiles, such as the emergence of connected cars (internet-enabled) and predictive maintenance (using telematics), are expanding the cyberthreat surface. Also, mobility as a service (rise of shared cabs) is collecting data about drivers, passengers, destinations and routes, thereby leading to increased concerns on privacy.

► Underlying opportunities for AI in cybersecurity market include growing need for cloud-based security solutions among SMEs and increased use of social media for business functions.

Jaspreet Singh Partner, Cyber Security [email protected]

60 The car is connected now! But are we safe? The car is connected now! But are we safe? 61 Section 05 How can EY help?

62 The car is connected now! But are we safe? The car is connected now! But are we safe? 63 Connected car: how we see it! To secure the connected car, cybersecurity needs to be embedded EY capabilities Connected car strategy formulation Implementation support Monetization strategy across the entire ecosystem Big data analytics Predictive maintenance and Digital risk and asset planning cybersecurity Our strategic partnering value

Automotive companies can reap sustained benefits by effectively implementing a ► We use knowledge to build and deploy meaningful ► EY is known and respected for the depth and breadth of our solutions consistent with client’s objectives and cybersecurity practice. connected car strategy expectations of EY. ► We are the market leaders in building, operating, and OEMs Third party / others Customer ► Our approach is technology and partner agnostic, sustaining cyber security. we leverage the best tools and team with the ► Our approach is founded in a firm repeatable process that ► Remote diagnostic and ► Telematics for fleet management ► Advanced assisted driving industry experts to deliver a complete end-to-end is capable of flexing with the unique needs of connected prognostic services capabilities service. ► Content creation and vehicle. ► Improve after sales and management services ► On demand infotainment ► The depth and breadth of our firm allows us to tap support service into globally renowned subject matter resources ► Opportunities for telecom ► Augmented navigation and industry leading methodologies. ► Leverage connected car offering companies in machine-to- as unique differentiator and machine communication improve customer loyalty in vehicle A robust connected vehicle cyber security strategy

► OEMs can offer significant value ► Companies can use driving usage ► Customers can be provided Strategic influences to its customers by combining and car performance data to: with customized web portals, various elements from online where they can view diagnostic ► Optimize inventory for Business and product strategy applications, driver assistance, reports, download directions spares call center services and solutions to the vehicle or even unlock IT strategy Practical influences Desired outcomes for the integration of mobile ► Feedback into new product the car’s doors devices development Assessment Connected Safe vehicles ► The connected car lives in the Compliance vehicle cyber ► Services provided by the ► Sending maintenance alert network and is open to cyber Technical reviews security strategy Safe customers company can include to customers and dealership threats; companies need to have Risk appetite vehicle management, travel the balance between trust and ► Over-the-air tuning of and navigation, parking, risk – not just risk level, but trust Mobility and industry trends the vehicle entertainment, information, level – how much assurance do emergency call, vision and they have Emerging technologies drive assistance ► Advanced assisted driving capabilities can be provided by EY’s vehicle ecosystems: cyber security and privacy framework leveraging sensors, analytics, NLP, RPA and cloud computing

Car with various sensors

64 The car is connected now! But are we safe? The car is connected now! But are we safe? 65 Connected car: how we see it!

Organization structure, roles and Risk identification, risk domains, risk Operational policies and standards responsibilities, training and profiles, risk and controls library and that assist in achieving vehicle risk awareness and personnel to support ratings criteria that define vehicle risk management objectives and effective and execute the vehicle risk and for the affected populations management of IT risk governance strategy

Face recognition Connected vehicle risk management governance and strategy Connected vehicle risk management governance and strategy Alignment with the software identifies regulatory require- the driver from the ments for maintaining Organization (people, Risk identification list of familiar drivers Policies and standards a secure vehicle program, function) and profiling added to the account ecosystem and then only give them access to Security and privacy process, risk and control framework Security and privacy process, risk and control framework the car Design methodologies and New and emerging requirements

National and regional variation procedures to enable Framework incorporating

Regulatory requirements secure vehicles a vehicle security, risk and control framework, Secure vehicle design Secure vehicle production Security vehicle operations Processes, proce- including regulatory, dures and methods leading practices and Supplier trust Secure development Risk management for operating the internal requirements Standard vehicle architecture Secure integration Security monitoring Secure development Secure protocols and standards Change management vehicle security

Innovation Privacy consultation expectations OEM security requirements, Incident management framework and requirements testingand validation Privacy, communication and Business objectives Tools to facilitate Customer expectations Customer Privacy process and control preference management and board directives development vehicle risk that drive program management

requirements function) program, Organization(people, governance and strategy operational processes and Vehicle risk dashboard: reporting framework ongoing monitoring and reporting on Tools and technology Tools and technology program effectiveness and risk posture Compliance monitoring and reporting Compliance monitoring and reporting

EY’s vehicle ecosystems: cyber security and privacy framework

66 The car is connected now! But are we safe? The car is connected now! But are we safe? 67 For more information please contact us.

Vinay Raghunath Som Kapoor Our team will happy Business Partner Partner [email protected] [email protected]

consulting Pallav Chatterjee Pratik Shah to serve you. Director Director [email protected] [email protected]

Burgess S Cooper Jaspreet Singh Partner Partner Technology [email protected] [email protected]

Akshay Tiku Sumit Malhotra consulting Director Senior Manager [email protected] [email protected]

Nitin Sethi Amit Punjani Associate Director Associate Director Key [email protected] [email protected]

Contributors Kanika Sharma Consultant [email protected]

68 The car is connected now! But are we safe? The car is connected now! But are we safe? 69 Our office

Ahmedabad Delhi NCR Kolkata 22nd Floor, B Wing, Privilon, Golf View Corporate Tower B 22 Camac Street Ambli BRT Road, Behind Iskcon Sector 42, Sector Road 3rd Floor, Block ‘C’ Temple, Off SG Highway, Gurgaon - 122 002 Kolkata - 700 016 Ahmedabad - 380 015 Tel: + 91 124 443 4000 Tel: + 91 33 6615 3400 Tel: + 91 79 6608 3800 3rd & 6th Floor, Worldmark-1 Mumbai Bengaluru IGI Airport Hospitality District 14th Floor, The Ruby 6th, 12th & 13th floor Aerocity, New Delhi - 110 037 29 Senapati Bapat Marg “UB City”, Canberra Block Tel: + 91 11 4731 8000 Dadar (W), Mumbai - 400 028 No.24 Vittal Mallya Road Tel: + 91 22 6192 0000 Bengaluru - 560 001 4th & 5th Floor, Plot No 2B Tel: + 91 80 6727 5000 Tower 2, Sector 126 5th Floor, Block B-2 Noida - 201 304 Nirlon Knowledge Park Ground Floor, ‘A’ wing Gautam Budh Nagar, U.P. Off. Western Express Highway Divyasree Chambers Tel: + 91 120 671 7000 Goregaon (E) # 11, O’Shaughnessy Road Mumbai - 400 063 Langford Gardens Hyderabad Tel: + 91 22 6192 0000 Bengaluru - 560 025 THE SKYVIEW 10 Tel: + 91 80 6727 5000 18th Floor, “Zone A” Pune Survey No 83/1, Raidurgam C-401, 4th floor Chandigarh Hyderabad - 500032 Panchshil Tech Park Elante offices, Unit No. B-613 & 614 Tel: + 91 40 6736 2000 Yerwada 6th Floor, Plot No- 178-178A, (Near Don Bosco School) Industrial & Business Park, Phase-I, Jamshedpur Pune - 411 006 Chandigarh - 160002 1st Floor, Shantiniketan Building Tel: + 91 20 4912 6000 Tel +91 172 6717800 Holding No. 1, SB Shop Area Bistupur, Jamshedpur – 831 001 Chennai Tel: + 91 657 663 1000 Tidel Park, 6th & 7th Floor A Block, No.4, Rajiv Gandhi Salai Kochi Taramani, Chennai - 600 113 9th Floor, ABAD Nucleus Tel: + 91 44 6654 8100 NH-49, Maradu PO Kochi - 682 304 Tel: + 91 484 433 4000

70 The car is connected now! But are we safe? The car is connected now! But are we safe? 71 Notes

72 The car is connected now! But are we safe? The car is connected now! But are we safe? 73 Notes

74 The car is connected now! But are we safe? The car is connected now! But are we safe? 75 Ernst & Young LLP EY | Assurance | Tax | Transactions | Advisory

About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

Ernst & Young LLP is one of the Indian client serving member firms of EYGM Limited. For more information about our organization, please visit www.ey.com/en_in.

Ernst & Young LLP is a Limited Liability Partnership, registered under the Limited Liability Partnership Act, 2008 in India, having its registered office at 22 Camac Street, 3rd Floor, Block C, Kolkata - 700016

© 2020 Ernst & Young LLP. Published in India. All Rights Reserved.

EYIN2005-007 ED None

This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither Ernst & Young LLP nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.

MK

ey.com/en_in

@EY_India EY EY India EY Careers India @ey_indiacareers

76 The car is connected now! But are we safe?