A Study of Vulnerabilities and Weaknesses in Connected Cars

Abstract: Security vulnerabilities in connected cars can have devastating consequences. For this reason we compiled and analyzed vulnerabilities in connected cars using empirical data to gain an understanding of the security issues in the automobile industry. The data is gathered from the U.S. National Vulnerability Database (NVD) and analyzed with the help of the CVSS system and the CVE and CWE databases. 183 reports were found from the company Qualcomm and 28 reports were found from the rest of the industry. Qualcomm was analyzed seperately to avoid skewed results. Exploitability and impact trends of the vulnerabilities were analyzed and we found that the vulnerabilities generally were highly exploitable and had an high impact according to CVSS standards. The CWE classifications of the vulnerabilities were also analyzed. We found that the most common weaknesses among the major car companies were Protection Mechanism Failure, Information Exposure, Improper Restriction of Operations within the Bounds of a Memory Buffer and Improper Input Validation. The most common weaknesses for Qualcomm components were Improper Restriction of Operations within the Bounds of a Memory Buffer, Improper Input Validation, Improper Access Control, NULL Pointer Dereference, Improper Validation of Array Index and Information Exposure. Looking deeper into the vulnerable components we found that 47% of the vulnerabilities were in the Infotainment system and 39% were in the Telematics Control Unit.