The car is

connected now!
But are we safe?
Cyber securing the connected car

The car is connected now! But are we safe? 1

 Table of contents
01 05
Indian landscape: connected
consumer and connected car
How can EY help?

02
What is in it for all stakeholders?
► Connected car to help reduce range anxiety
► Connect dash camera
► Telematics help to bring down insurance claims

03 04
Scenarios of cyberattack:
► In-vehicle infotainment system ► Facial recognition
failure
► WiFi hotspot
Architecture of connected cars and the risks ► Tampering with
► Mobile application
OBD device
► 4G SIM

2 The car is connected now! But are we safe? The car is connected now! But are we safe? 3
 Foreword Foreword
Modern automobiles have completely changed, they are A connected car and in-car connectivity have moved from
connected, available on demand and mobility is pervasive. being mere buzzwords to becoming an ubiquitous ask by
This revolution of automotive connectivity with the Indian consumer. The industry is already focused on
Neville M Dumasia humans and infrastructure presents the big challenge – Vinay Raghunath multiple aspects of this transformation which include
cybersecurity! Auto manufacturers and hackers have both making connectivity a standard feature (as opposed to
India Leader demonstrated the value and perils of this connectivity and Auto Sector Leader being an optional add-on), creating new business and pricing
thus it necessitates a sharp focus from all stakeholders in models for connectivity solutions and working with regulatory
Advanced Manufacturing, [email protected]
the ecosystem – OEMs, regulators, component suppliers, bodies to establish standards to enable a faster roll out.
Mobility & Infrastructure insurance companies and even consumers to make the
[email protected] connected world safe. We believe that the end consumer’s continuous demand for
seamless in-car technology will continue to fuel innovation
The EY team is pleased to bring forward thought provoking and collaboration between organizations spanning multiple
scenarios and questions we all have to collectively sectors like telecom, internet service providers, automakers
answer. We live in a connected world today and in the and component manufacturers.
foreseeable future, this trend is likely to increase. Historically,
our experience in the industry has largely been around the Most OEMs are gradually expanding their internal
use of information technology, which is now supplemented organizational teams to work with these new competency
with operational technology. This combined flood of data is areas while also solving challenges related to integrating
voluminous, instant and can be open to the outside world. vehicle platform development cycle time with the speed of
This evolution opens all of us to the threats of cybersecurity, development in the entertainment, communication and
if not managed carefully. information technology space.

As responsible corporate citizens we believe it is the duty Alignment and collaboration across stakeholders in this
of all stakeholders in this ecosystem to not only appreciate connected ecosystem will be critical to ensuring that
the threats of cyber but to also effectively take steps to consumers continue to experience innovation in connected
prevent and mitigate risks. We at EY realize the enormity of vehicles while also trusting the safety, seamlessness,
the task at hand, the significant costs involved in terms of relevance and durability of these solutions.
training of our people, the broader ecosystem, systems and
checks and balances to be incorporated to safeguard
our business.

4 The car is connected now! But are we safe? The car is connected now! But are we safe? 5
 Section 01 Indian landscape:
connected consumer
and connected car

6 The car is connected now! But are we safe? The car is connected now! But are we safe? 7
 The changing Mobile and

Indian consumer
technology- enabled

At confluence of aspiration and technology…

1

2
Fast and trouble
free solutions
Smart Smart
office transport
5
Changing More
patterns of sophisticated
in their financial

es consumers services needs

vic

Smart AI Smart
De

health energy
3
Da

cs

More demanding: expect

bo 4
ti
ta

more customization,
Ro personalization,
Smart Smart flexibility and metricity
home manufacturing
Increasingly looking towards other people
Smart for real-time recommendations
cities

Paradigm shift in usage patterns “India to grow faster than China in MBB subscriptions and data traffic”

During 2019, it was estimated that Active mobile-broadband In 2019, average time spend

57.16 % subscriptions have increased from

144 hours “Focus on content for enhancing customer experience”
of the global population, or 268 million per day on social networking

4.3 in 2007 to

billion people, will be using 6.3 billion “5G to account for 5% of total connections by 2025”
the internet in 2019

Nearly three-quarters of the world will use just their smartphones to access the internet by 2025.

8 The car is connected now! But are we safe? The car is connected now! But are we safe? 9
 Transforming the lives of Digital opportunities to drive the
2 billion people next wave of growth in India
India’s digital and social media outlook Digital opportunities to drive the next wave of growth in India
Growing digital media consumption, in the form of multi-play offerings, is increasing the India to grow faster than China in MBB subscriptions and data traffic
data subscriber base for Indian telcos

Video streaming contributes Mobile broadband Smartphone subscription Mobile data traffic/month

70%-80% 79% 93% subscription in India to witness strong growth to grow faster than China

of mobile data traffic in India digital media and content of time spent on videos in Hindi and
consumption is on mobile devices other regional languages
2018 : 0.5b 2018 : 0.6b 2018 : 3 EB
An average user spends up to 2024 : 1.2b 2024 : 1.0b 2024 : 12 EB
3.2 times 500 million 80%
more time on mobile content, people viewed videos online of the content consumed was less CAGR 15% - India CAGR 10% - India CAGR 26% - India
than on web in 2019, a growth of 80% over than a year old 2% - China 3% - China 22% - China
2018

India has the largest number of Facebook users in the world Operators have showcased a number of 5G use cases
Million, Oct’19
Connected cars RJio and Ericsson demonstrated 5G Airtel demonstrates how
connected car and VR-enabled driving IoT can empower drivers through
using 5G auto telemetry
183 USA
VR based 360 Airtel and Nokia demonstrated VR based 360-degree content that can be streamed
degree content in a 5G live environment.

India 269 123 Indonesia

Connected Airtel showcased replica of modern connected home with intelligent devices
homes and appliances
120 Brazil
Mexico 82 BVLOS Airtel and Ericsson showcased cased Beyond Visual Line of Sight (BVLOS) autonomous
autonomous drones over 5G networks
Daily active users drones
on Facebook reached
1.52 billion, up 9%
compared to 2019

Source: News articles, Statista 2019 Data, DMR Source: EY knowledge

10 The car is connected now! But are we safe? The car is connected now! But are we safe? 11
 Connected features for connected What’s driving the connected car?
consumers Intelligent mobility paves new roads for marketers
New car technologies are transforming the automotive sector, with major implications for industry players and
Focus areas: stakeholder’s watch consumers alike

Financial services
Infotainment delivery US$166 b CAGR – 25.2%
► Application and subscriber
► Personalized content delivery The global connected car market size post-COVID-19
► Over-the-air software updates
► Driver CRM via email and SMS is expected to be US$53.9 billion in 2020 and is
► Service management web portal projected to reach US$166.0 billion by 2025.
► Driver smartphone app and portal
► Customer service helpdesk
► Customer service helpdesk
US$54 b

Electric vehicles
Safety and security features
► Battery health and charge status
► Charging location POI reservation ► Automatic crash notification

► Eco-trip planning and navigation ► Crash recording

► Battery charge time scheduling ► Remote alerts and theft tracking Asia Pacific and Europe
Asia Pacific & Europe are the major regions where
► Remote vehicle immobilization
demand for connected cars solutions and
► Roadside assistance services is the highest due to various government
regulations on vehicle safety.
Intelligent vehicle

► Vehicle health reports and notification

OTA software management
► Dealer location and service scheduling
► Policy-driven dependency,
► Driver reports and coaching
rollback and recovery
► Driver monitor, limits and alerts
► Standards-based certification,
authentication and encryption

► Dynamic data collection and 5G and AI

upgradable analytics The enhanced user experience for all connected
Connected ► Customized consumer notifications cars depends on wireless connectivity. Many telecom
vehicle features prompts, and consent industry players are developing 5G to increase the
safety and efficiency of connected cars. According to
International 5G automotive associations, 68% of
accidents can be avoided with the upcoming 5G
technology.
► Connected car programs are ► Leading automakers need to create ► Automakers are increasingly developing
becoming increasingly important for connected car experiences that are electric, hybrid and plug-in hybrid
differentiating brands and vehicles intuitive, personalized and updatable. vehicles to meet consumer demand
from the competition while contributing and comply with current and future
to consumer engagement, satisfaction government fuel efficiency mandates. Continued on next page
and loyalty for the next purchase.
Source: EY knowledge

12 The car is connected now! But are we safe? The car is connected now! But are we safe? 13
 Connected cars are poised to become a common phenomenon
in India in the near future. And their relevance in the next Connected consumer puts pressure
few years is bound to increase with the expected wide-scale
adoption of EVs where connectivity features will help owners
on all stakeholders for the right
locate nearby charging stations and access telematics data
among several other things
strategy
Right business model: stakeholder’s watch

IT infrastructure

Data noise - Customer value

Existing business
information gap and products
portfolios value
Connected cars poised
to become common Strategy medium/
phenomenon in India short term plans
strategy discussions
amongst shareholder’s
are essential to overcome
frictions in the
An increase in vehicle legislation Technologies like telematics, By connectivity technology: Existing processes organization,
and industry compliances regarding connected and autonomous Cellular segment is expected to
convenience features, such as vehicles will play a vital role in dominate the India connected
because there are
navigation, remote diagnostics, etc. transformation car market
are driving the connected a number of key
car market questions and issues
to be addressed
New business

Customer relationship

Source: EY knowledge

Source: EY knowledge

14 The car is connected now! But are we safe? The car is connected now! But are we safe? 15
 ...and what the answer
The question...
should be about

Key questions What telematics services will be

offered (and when)?
Identifying initial target market, with a view on
benefits and costs

for all
Are the telematics services technically Understanding the IT landscape, its strength
feasible in my target market? and weaknesses

stakeholders
Are the services commercially viable? What Building up the business plan also to anticipate issues/
is the end result (top line and bottom line)? concerns end estimate pricing improvement

How are the black boxes / devices installed Keeping a flexible approach ready for
and maintained and who will bear the cost? “device independency”

Who will store and analyze the data Understanding the path to develop access
(i.e., in-house or outsourced)? to adequate technology and skill

What are current consumer attitudes? Identifying “differentiating services” to avoid

What would they expect by telematics? the “commodity pricing trap”

How do I attract new customers without Comparing company’s portfolio and clients
cannibalizing my existing portfolio? with market trends and existing threats

What strategic partnerships would Building a vision behind that of a gadget

add value to my proposition (e.g., that enhance risk selection, to leverage
car dealerships, road side assist service telematics ecosystem
providers, technology partners,
official bodies)?

Source: EY knowledge

16 The car is connected now! But are we safe? The car is connected now! But are we safe? 17
 Connected car ecosystem
Multiplicity of services and stakeholders

On-demand
Navigation Diagnostics Vehicle-to-
infotainment
vehicle

Higher bandwidth ► Point of interest, parking ► Vehicle health ► Traffic information

► Route optimization ► Scheduled maintenance ► Driver warnings

► Radio-music, news: live
news feed ► Traffic/Journey times ► Recall information ► Pre-emptive actions to avoid and
mitigate crashes
What are ► Video: on-demand and real-time ► Travel and traffic assistance/ off-
board route guidance
► Service coupons
► Threat and hazard sensing: 360
content
connected ► Other in-vehicle services enabled ► Location-based services
► Service scheduling
degree awareness of the position
► Electrical vehicle: battery charge of other vehicles
car end- by cloud computing monitoring/ control
services?

Lower Safety and

Others
bandwidth security

Lower bandwidth ► Roadside assistance ► Usage based insurance

► News, stocks and sports ► Emergency notification ► Fleet management

► Apps store ► Theft tracking ► Payment (tolling, parking, etc.)

► Multimedia, internet services, ► Remote control of vehicle ► In-car health services

social networking, etc. environment/ car features
► Embedded financial
► Geo-fencing GPS units

Source: EY knowledge

18 The car is connected now! But are we safe? The car is connected now! But are we safe? 19
 Connected car ecosystem (continued)
Multiplicity of services and stakeholders…

Service Wireless
User Customer
delivery network
interface support/service
architecture (connectivity)

How are
connected ► Telematics service
platform/access portal
Device-to-vehicle Low speed data
services (2G)
Call centers
connectivity
car services ► Security services
Online support
Subscription management
delivered? ► Content creation
► Embedded High speed data services
(4G/5G or LTE)
► Tethered Charging and billing
► Content aggregation
► Integrated
► Application development

► Application delivery
Human-machine interface
► Visual

► Haptic

► Voice

Automotive industry City/State regulators Telematics service Insurance industry

provider
► Vehicle manufacturers ► Insurance providers
Telecom
► Auto component ► Telematics service ► Insurance distributors
► Telecom operators
suppliers platform providers (brokers and aggregators)
Stakeholders ► Repairer networks / Device manufacturers
Others
service centers ► Smartphone
manufacturers ► M2M service providers
Information technology ► BPO
► Portable navigation and
► Packaged software vendors infotainment device ► Roadside assistance
► IT services companies manufacturers providers

Source: EY knowledge

20 The car is connected now! But are we safe? The car is connected now! But are we safe? 21
 We see connected vehicles as a
part of the overall mobility solutions
landscape
Mobility solutions considerations: who, what, why, where and how…

The audience considerations

Who of mobility
and why “Who is the mobility service designed for and
why is it important to them?”

Private Commercial Public

(Business to consumer) (Business to business) (Business to government)
► Corporate car sharing mobile ► Bus rapid transit solutions
Urban ► Ride sharing

► Car sharing ► Corporate BRT: mobile ► New traffic management tools What
► Brand sharing
working space
► Dynamic space pricing the programmatic
► Predictive/optimized
► Integrated logistics
aspects or topics
Where maintenance and repair
within mobility
The geographic
considerations ► Fleet cost optimization ► Integration of renewable energy
Regional ► Share-a-car
► Mixed fleet management
(with energy needs of the
► Autonomous driving ecosystem)
► Intermodal solutions “What needs to be
► Tolls system
“Where are people ► Hybrid engines considered and/or addressed
► Hybrid engines
and things moving ► Intermodal solutions in implementing a
mobility strategy?”
to and from?”
Global ► “World citizens”: people living in
the various areas of the world at
► Material/product logistics ► Connecting journey endpoints
across major metropolitan areas
► Human capital/people mobility
the same time (e.g., cab, train, plane, etc.)
► Corporate dwellers

► What do business and fleet ► What are governments looking

► What do consumers value and
How what are they willing to pay for?
customers value and what are
they willing to pay for?
to accomplish?

► What is our city-focused

Some key ► How do we prioritize the various ► How do we monetize go-to-market approach?
questions for mobility concepts to implement? opportunities for emission
► How can we access new private/
OEMs to ► How do we monetize our reduction targets?
public business models to help
consider investments in mobility (and ► How integrated is our overall finance new mobility concepts?
telematics)? strategy for corporate clients?
Source: EY knowledge

22 The car is connected now! But are we safe? The car is connected now! But are we safe? 23
 India connected car
market
Emerging profit pool for the Indian automotive industry
► The Indian connected car market is estimated to be US$9.8 billion in 2019 and is projected to reach US$32.5 billion by
2025, at a CAGR of 22.2%.

► The key factor driving the growth of the market is the increase in the number of connected features in economy vehicles
by OEMs. Additionally, an increase in vehicle legislation and industry compliances regarding convenience features, such
as navigation, remote diagnostics and multimedia streaming through various platforms such as Android Auto, CarPlay
and MirrorLink are driving the Indian connected car market.

► New safety norms are encouraging automakers to equip the vehicles with safety and security connected features, which
in turn is increasing the demand for connected cars.

► Various technologies such as heads-up displays, smart infotainment and telematics systems are becoming an integral
part of high-end automobiles.

Connected cars: market dynamics

► Economy car manufacturers attempting to provide luxury features

Drivers ► Government initiatives for implementing connected car technology

► Lack of supporting infrastructure

Restraints ► Unavailability of standard platforms

► Emerging profit pool for automotive industry

Opportunities ► Evolution of the new value chain ecosystem of the automotive industry

► Increase in the threat of data breach and cyber security for

connected vehicles
Challenges
► Increase in the price of the vehicle with connected services

24 The car is connected now! But are we safe? The car is connected now! But are we safe? 25
 Section 02 What’s in it for all the
stakeholders:
OEMs, suppliers, insurance
companies, service providers
26 The car is connected now! But are we safe? The car is connected now! But are we safe? 27
 OEMs challenge Technical challenges
“How will my connected vehicle solutions work?”
and opportunity Technical challenges Commercial challenges
Technology, commercial “How will my connected vehicle
solutions work?”
“Where will we make money?”

and operations: are these

the big questions?

Adopt software
iteration cycles Define the buyer
Standardize
Enable the seller
technology platforms
Optimize pricing
Select partners

“
Integrate
across
vendors
Connected car mobility is
the 21st century’s biggest
opportunity. OEM challenge
will be to find new business Deploy and operate
robust solution
model for the connected
Build service
services and revenue stream infrastructure

will the proof ” Integrate

across vendors

Som Kapoor
Partner, Future of Mobility
Som works with automotive
OEMs across the country
Operational challenges
“What’s required to deliver on
our promise?”

28 The car is connected now! But are we safe? The car is connected now! But are we safe? 29
 Connected vehicles: opportunities Success in connected vehicles
and challenges for vehicle requires focus and diligence in
manufacturers strategy and execution
Internet-enabled, telematics Connected vehicle strategy: Define - Develop - Monitor

From
► Managed as feature/
functionality item
To
► Key element of customer
engagement
1 The first step is to define the fields of play – the focus areas, or points of
concern, relative to your overall mobility and telematics program(s)

Assess Strategy Ensuring the alignment of telematics and mobility with overall
► Owned by product ► Application across ownership alignment corporate strategy across different BUs
development/engineering lifecycle /Define
► VM branded ► Services-driven value proposition Risk Creating an integrated and dynamic control environment for the connected
management vehicle strategy that balances value, cost and risk
► Unclear value proposition Many definitions ► Multi-vendor,

► Optional item bundled in exist – we propose multi-brand solutions Customer

definition
Defining the key stakeholder and customer groups
a package ► Standard item and determining key solution requirements and pricing

► Tight smartphone integration

Mobility – moving people and Integration and Effectively integrating and monitoring mobility and telematics
things from point A to point B monitoring program efforts and results across BUs

2
Connected vehicles –
After identifying one or more focus areas, the next step is to design and
internet-enabled, mobile
develop an integrated and holistic connected vehicle strategy
equipment
Challenges Opportunities Design/
Connected vehicle strategy
Telematics –
► Defining value and hardware and ► Differentiate through the
Develop
willingness to pay for dealers software to connected vehicle experience
and customers Technical
connect vehicles ► Build direct relationships with
► KISS: keep it simple customers
for users
► Use data to improve quality/
► Organizing for success reduce warranty expense

3
► Operating a services business ► Increase share of post warranty,
customer pay parts and
► Managing partnerships
services spend
CVS
vs. vendors challenges
► Owning and using data and issues
Implement/
Monitor

Commercial Operational

30 The car is connected now! But are we safe? The car is connected now! But are we safe? 31
 New revenue streams for all The connected car opportunity: who will provide the
infrastructure and who will give the content?
stakeholders

► Standard onboard function

Unpaid basic packages Paid add-on packages ► Store subscriptions allow unlimited song
Vehicle information package OEM music store downloads on-board the vehicle which can
► Determines vehicle chassis details, engine number,
be played offline
date of manufacturing and all legal attachments

► Locates the nearest OEM dealerships ► Gives entire summary of engine usage and
and workshops performance to the user
Convenience package Engine diagnostic system
► Records and shares the user feedback regarding ► Monitors idling, average speed, clutch usage,
the dealer with the OEM brake usage, acceleration, gear selection, etc.
and presents in a report format to the user

► Customizes cabin light colours, instrument

cluster lights and button light colours as per
► Onboard engine safety package the desired ambience
► Warnings include gear shift indication,
Warning package Advanced safety and
rev recognition to avoid engine over revving ► Includes vehicle tracking, emergency calling,
security package
location sharing and urgent member calling

► On-board engine safety package ► Service track records maintained by vehicle,

notifying the user one week prior to the
► Warnings include gear shift indication,
Company app downloads Service information package service due date Vehicle books a service
rev recognition to avoid engine over revving
appointment with the concerned dealer by itself

► Sensors installed by default in the vehicle

► End-to-end encrypted messaging system ► Activation of this package allows user to
allowing users to chat with friends using the monitor tyre pressure
OEM chat connect Language package
chat connect app of the same OEM and also
through the vehicles command system. ► Provides choice of setting the desired
infotainment language for users unfamiliar
with the generally accepted Hindi and English

32 The car is connected now! But are we safe? The car is connected now! But are we safe? 33
 Case study on EVs: how can being Case study: shared mobility
connected help reduce range anxiety? connected dashcam
Information at the user’s fingertips about charging (Case study 2)
infrastructure and timely alerts
Current and future Future scenario
Nearest charging station and availability for type of charger scenario: connected with connected dashcam
1
dashcam
(Case study 1) In case of a car collision

North West
2 2
Rapid charger 1

No solution to notify the accident During the impact, connected

Fast charger 2
dashcam will send alert
push notification
Slow charger 5

3 3
South

Rapid charger 4
Insurance company, police, etc. Connected dashcam, push alert
have to rely on the eye witlessness notifications, geo coordinates and
Fast charger 6 for the sequence of events event video to insurance company,
emergency services and family
of the driver
Slow charger 8
Benefits
► Reduction in insurance
To alleviate range anxiety, the electric vehicle battery will need to be safer, cheaper,
premium
have faster charging and feature a high energy density for greater range.
► In case not the driver’s 3
fault, no premium increase
Peak and off Estimated ► Fleet can reward Connected dashcam, push alert
drivers based on the notifications, geo coordinates and
peak pricing waiting time
event video to insurance company,
(surge pricing) driving performance emergency services and family
of the driver

34 The car is connected now! But are we safe? The car is connected now! But are we safe? 35
 Telematics in claims provide real Core offering of telematics
customer protection and drive down insurance and connected dashcam
insurance losses Managing customer needs through core offerings

1
Telematics as survivor!
Core UBI offering
(Case study 3) ► Design usage-based insurance suited for the business individual insurers business and operation
model including product design, IT capacity, analytical function, claim management and capital

► As the product is still in its early stage of acceptance, lead the UBIs to understand the target market
and test different product offerings
Real time data transmission
► Location

2
► Motion
► Speed Risk selection: driving behavior modifier
► Vin number ► Continuous improvement in risk selection by
► Reduction of claims cost
capturing and analyzing increasingly accurate
► Acceleration information about individual driving behavior
► Force of impact ► Actively manage claim costs through real feedback
► Other external environment on driving behavior and instant notification
such weather, traffic and road of loss events
conditions

3
Extra information via telematics devices will help manage insurance losses by enabling claims operators to
determine the exact circumstance of the claim including nature, type and extent of the damage to the vehicle Product innovation: leverage through value add services, which are
as well as the early indication of likely bodily injury highly desired by the customer
► Reduction in underwriting and claim fraud
► Reduces the first notice of loss process ► Provide value-add vehicle services, such as ► Increased revenue and
emergency services, breakdown services, theft profitability from non -
► With two-way communication can help identify individuals involved in the accident
notifications and early vehicle diagnostic services insurance product
► Improves the accuracy of case estimation damages reducing the uncertainty in property damage and small injury claims
► Additional opportunities exist around integration ► Increased retention for core
Telematics enables a superior seamless claims process for a more holistic protection cover for customers platforms, content provision and providing access to insurance product
infotainment and navigation/traffic services
► Theft ► Provide vehicle recovery information to customer/police
► Portal functions for new embedded applications, Increasing the product offering
► Theft alarm is activated ► Avoiding total losses
such as tracking of stolen vehicles, parental control, with additional services better
► Theft notification to customer infotainment systems and viewer of journeys matches the customer’s needs
► Requires support for single point, which is (emotional and logical) with
Accident Breakdown
responsible for charging and billing for various the motor insurance product
► Instant crash / emergency notification ► Instant notification and location of the vehicle (traditionally, a begrudged
services; this is a main reason for the increasing
► Send relevant emergency services to ► Direct the nearest recovery team directly to involvement of insurers in the value chain purchase)
the confirmed location the vehicle
► For insurers looking to become more deeply
► Check customer record and contact family involved in the value chain, strategic alliances in the
► Remain in contract with the customer development of vehicle independent services is
an option
► Confirm arrival of emergency service
► Saving lives

36 The car is connected now! But are we safe? The car is connected now! But are we safe? 37
 Section 03 Architecture of
connected cars and
the associated risks

38 The car is connected now! But are we safe? The car is connected now! But are we safe? 39
 Architecture of a connected car
Overall architecture and implementation view

Network communication Long-range wireless

Intra-vehicle network LTE/GPS Cloud services

Accessibility categories RFID Broadcast services

Application V2I
Short-range wireless
OEM ECU
Operating system V2X Bluetooth Consumer smart devices

Network V2V Wireless network Vehicle

Keyfob

Firmware Physical

Physical connection
USB Consumer media devices
Controller area network (CAN):
ODB-II Programming/ diagnostic device

V2I : Vehicle-to-infrastructure
Sensors: throttle position sensor, manifold absolute V2X : Vehicle-to-anything
pressure sensor, engine coolant temperature sensor, V2V : Vehicle-to-vehicle
oxygen sensor, humidity sensors, etc. RFID : Radio Frequency Identification

40 The car is connected now! But are we safe? The car is connected now! But are we safe? 41
 The connected ecosystem of Race of cybersecurity: protecting connected cars
Cybersecurity and privacy strategy core considerations -
tomorrow’s mobility needs to be Top-down and bottom-up approach

robust and looking at dimension of Business and

IT strategy Compliance

privacy and safety

product strategy

Risk Mobility and Emerging

appetite Industry trends technologies

Inform
Cybersecurity has risen in importance
as the automotive industry undergoes

Assessment
a transformation driven by new person-

results
al-mobility concepts autonomous driving,
vehicle electrification, and car connectivity.
Connected vehicle: vehicle chain strategy
The connected vehicle system will require
a common technical framework for the
deployment to address security implications
and privacy of driver and passengers, as
connected environment.
High-impact Strategic vision
The emerging V2X landscape (V2V, V2I) enhancements
calls for an approach, which takes care
of drivers business use cases and as
well as regulatory requirement s and in
achievement the players have to ensure,

modeling
Threat
consumers interest of privacy at uttermost
while maintaining necessary hygiene of
cyber security.

R Sundar Enables
Partner, Risk
[email protected]

Secure vehicle Security vehicle

Secure vehicle production
design and ecosystem post-production

42 The car is connected now! But are we safe? The car is connected now! But are we safe? 43
 Threats and challenges to
connected vehicles
Long-range wireless
Intra-vehicle network Cloud services Breach at OEM data centres
aimed at stealing customer’s
Accessibility categories Broadcast services personal files, disabling
vehicle’s operation or

Network communication
Application V2I spreading malicious activities.

Short-range wireless
OEM ECU
Operating system V2X Consumer smart devices Unauthorized access
to vehicle internal network
Vehicle and infotainment system
in order to steal private
Network V2V Keyfob
and corporate data, track
individual vehicles or entire
fleets and hijack non-safety
and safety-critical function.
Firmware Physical

Physical connection
Consumer media devices Physical access and
Controller area network (CAN): tampering of OBD device
Programming/ diagnostic device leading to compromise of
critical functions.

Sensors: throttle position sensor, manifold absolute

pressure sensor, engine coolant temperature sensor, oxygen sensor, V2I : Vehicle-to-infrastructure
humidity sensors, etc. V2X : Vehicle-to-anything
V2V : Vehicle-to-vehicle
RFID : Radio Frequency Identification

44 The car is connected now! But are we safe? The car is connected now! But are we safe? 45
 Assessment of security testing in How big is the problem?
connected car India ranked #1 in total number of cyber crime complaints
received in 2018
Security oriented implementation of architecture and functions
for connected cars 2

Common automotive processes EY framework for

vehicle threat analysis 3 1
► Celluar data/voice 5
Supplier and
► Broadcast services (FM RDS)
partner
processes ► DSRC

Remote threat channels

► VANET

After sales
Security
processes
V2I
>200 ft
4
engineering
and tools V2V

V2X 50-200 ft Top five countries by the total number of cyber crime complaints receive
> 0 ft
Physical S.no. Country Complaint % Total number of complaints received Cyber crime - major
1 India 33.07% 4,556 statistics - 2018
► Mobile phone
US$2.71 billion victim
Product 2 United Kingdom 28.8% 3,970
► Remote unlock losses in 2018
architecture and
development 3 Canada 20.90% 2,880 Over 900 complaints
► OBD-II
4 Australia 8.90% 1,227 received per day on
► USB an average
5 Georgia 8.33% 1,144
► CANBUS

ECU device breakdown

ECU Subcomponent

Age Complaint % Total Loss (US$m)

► Identification of assets ► Security use cases
Application: Applink, CarPlay, etc.
grouping

to be protected Under 20 9,129 12.5

► Validation of security
► Attack risk analysis assumptions Operating system: QNX, Linux,
20-29 40,924 134.48
Window embedded
► Security goals ► Test of security
30-39 46,342 305.6
mechanisms and Firmware: Custom fireware
► Security architecture
penetration tests 40-49 50,545 405.6
► Tech. security concept
► Test of security 50-59 48,642 494.9
► Implementation of security mechanisms and
Intra-car
network

mechanisms penetration tests Over 60 62,085

► Security analysis

Source: 2018 Internet Crime Report, FBI I3C

46 The car is connected now! But are we safe? The car is connected now! But are we safe? 47
 Section 04
Attack scenarios

48 The car is connected now! But are we safe? The car is connected now! But are we safe? 49
 Quick snapshot:
cybersecurity
market for cars
► The cybersecurity market for cars was valued at US$186.63 million in 2019 and is expected to reach a value
of US$2460.9 million by 2025, registering a CAGR of 52.15%.

► The cybersecurity market for cars is being primarily driven by the increasing connectivity of vehicles, increasing
adoption of telematics services in automobiles and increasing integration of advanced features.

► The automotive industry across the globe is undergoing a wave of innovation and advancements, with the emergence
of ground-breaking technologies, such as the Internet of Things (IoT), enhanced GPS, location and maintenance live
recording, reminders, driving assistance and Wi-Fi services, the demand for connected cars has been rapidly increasing,
driving the market forward.

► As all the connected vehicles are fully dependent on the connected software for all aspects of their operation, hence,
they are vulnerable to a wide range of cybersecurity attacks, which increases the need for a cybersecurity solution,
which is driving the market forward.

► With automobiles equipped with in-vehicle infotainment systems and improved wireless-network systems, have boosted
the sales of the connected cars in this region, thereby, driving the overall Asia-Pacific cybersecurity market for cars.

50 The car is connected now! But are we safe? The car is connected now! But are we safe? 51
 EY cyberattack scenarios Attack vectors: in-vehicle
Attacker levels and test scenarios
Attackers posses varying levels of skill which we group into four levels as shown in the table below. Against each of the four
infotainment (IVI)
levels EY has devised a set of test scenarios that we would recommend performing to provide confidence that the component
is able to withstand the associated level of attack and associated attack vectors. A process of threat assessment is used to
identify the likely attacker, the attack vectors used, their motivations and typical attack targets.

Scenario 1

In-vehicle infotainment
1 2
Using the Remote attacker Malicious song file Passenger’s phone
EY Assessment EY vehicle
Automotive
penetration
Security
Tech reviews testing
Framework
approach 1 2

3 4
1 The remote attacker sends a The file is sent to a phone which
Attacker level Capability Example attack vectors malicious code masked as an has access to the car or is already
entertainment file. connected to the IVI system.
Beginner ► Has a basic security ► Tries out known attack vectors against the
(script kiddie) understanding WiFi of the headunit, e.g., breaks the WEP 3
and brute forces easy WPA keys
► Is able to use public exploits
or reproduce trivial security ► Port-scans the head unit and looks for
findings commonly known vulnerabilities

► Tries to get firmware images of ECUs online

and looks through them directly for strings Connected car device IVI system
with credentials Connected via
USB cable
► Reads car-hacking papers to reproduce
findings of the past or is able to reproduce
4
back-doors which are known on internet forums

2
Professional ► Profound security understanding ► Opens embedded devices and tries to read Exploited
Unknowingly the phone owner opens
(experienced attacker) and experience the memory chips The attacker now has gained access the file while the phone is connected
to the device and can control its work- to the IVI system and the malicious
► Able to adapt existing exploits ► Uses open debug ports to attach debuggers
ing and can use its feature to cause code starts running.
► Has some basic hardware-level ► Reverse engineers K-matrixes different types of attacks.
exploitation experience
► Identifies simple buffer overflows in firmware
which can be accessed via debug interfaces

► Is able to discover multi-hop attack vectors

from the car to the IT infrastructure

► Is able to attack RF communication with known

flaws in WiFi, GSM and Bluetooth, and well
understood busses, e.g., CAN and LIN

52 The car is connected now! But are we safe? The car is connected now! But are we safe? 53
 Attack vectors: Wi-Fi hotspot Attack vectors: 4G SIM

Scenario 2 Scenario 3
Wi-Fi hotspot 4G SIM

Anyone in the car with a mobile device

can now connect to the hotspot created Remote attacker 4G SIM Device
by the device’s Wi-Fi.

Remote attacker Wi-fi Passenger’s phone

2 3

1 2
A remote attacker can try to remotely The 4G SIM stores the video The 4G SIM is introduced in the
hack the SIM by getting the encrypt- recordings and the conversation device to enable data transfer to
ed key (which can be obtained in a that took place in the car. It also gives cloud storage and to create
The device offers the feature of The passenger’s phone is vulnerable number of ways). a hotspot option to the passengers connectivity within the car.
Wi-Fi hotspot which creates a to attacks and their privacy is of the car.
4G/LTE enabled secure Wi-Fi hotspot also at risk.
that can be used for internet by
car passengers.

► An attacker can hijack the

browsing session and snoop on
the websites visited over an LTE
connection using an attack
called aLTEr.

► Attacker using this exploit in the

LTE service can gain access to
the mobile device and can use it
to spy, spam, track and spoof. Vehicle
The device is mounted in the car
and having control of the device
gives the attacker the control of the
car and they can invade the privacy
of the owner.

54 The car is connected now! But are we safe? The car is connected now! But are we safe? 55
 Attack vectors: mobile application Attack vectors: inside threat
(servicing)
Scenario 4 Scenario 5
Mobile application Inside threat

Remote attacker Mobile application Owner’s mobile Car whilst servicing Device Access to device-mounted car

1 2 2 3

A remote attacker can hack the The mobile application can be used ► A service personal can tamper By getting access to the device,
application of the device and get by people other than the owner. with the device while the car has the attacker can now has an entrance
access to the device as well as the The application itself may have gone for repair or servicing or into the privacy of the owner
mobile phone. inherent vulnerabilities which leaves some other work. and the fellow passengers.
it susceptible to multiple types They also control various aspects
► They can gain access to the
of attacks, thus rendering the and features of the car too.
device and hence the car, by
device vulnerable. physically tampering with
the device, the SIM and other
3 hardware. It can also gain
pathway to the software of
the system.

4
Connected
car device
1

Car with device

Unknowingly the phone owner opens
The device can have a mobile the file while the phone is connected
application which the owner can use to the IVI system and the malicious
to monitor the device, the car and code starts running.
get real time alerts.

Physical attack

56 The car is connected now! But are we safe? The car is connected now! But are we safe? 57
 Attack vectors: insider threat Attack vectors: insider threat
(OBD port)
Scenario 6 Scenario 7

Face recognition software Device Car Debug port Device Vehicle

2 3 3 4

Face recognition software The attacker can fool the software Once the software mistakenly gives Debug contains two CAN bus An attacker can gain access to the Gaining access to the device thus
identifies the driver from the list by using disguise or by sending a access to the attacker, they have ports which allows microcontrollers device by plugging in a malicious gives the attacker access to the car.
of familiar drivers added to the counter code to the device to access the control of the car. and devices to communicate code via the debug port.
account and then only give the facial recognition software. with each other.
him/her access to the car.

1 4
2

Computer needed to
connect to debug port

Physical attack Malicious attacker

58 The car is connected now! But are we safe? The car is connected now! But are we safe? 59
 In conclusion…

► The rapid increasing connectivity,

the increasing number of electronic
control units and lines of code have
increased the complexity of products,
thus, the concerns for security
solutions are on the rise.

► The advancement of AI technology

can seriously address cyber related
issues and help companies in providing
solutions.

► Developments in automobiles, such

as the emergence of connected cars
(internet-enabled) and predictive
maintenance (using telematics), are
expanding the cyberthreat surface.
Also, mobility as a service (rise of
shared cabs) is collecting data about
drivers, passengers, destinations and
routes, thereby leading to increased
concerns on privacy.

► Underlying opportunities for AI in

cybersecurity market include growing
need for cloud-based security solutions
among SMEs and increased use of
social media for business functions.

Jaspreet Singh
Partner, Cyber Security
[email protected]

60 The car is connected now! But are we safe? The car is connected now! But are we safe? 61
 Section 05
How can EY help?

62 The car is connected now! But are we safe? The car is connected now! But are we safe? 63
 Connected car: how we see it! To secure the connected car,
EY capabilities
cybersecurity needs to be embedded
Connected car strategy formulation Implementation support Monetization strategy across the entire ecosystem
Big data analytics Predictive maintenance and Digital risk and
asset planning cybersecurity Our strategic partnering value
► We use knowledge to build and deploy meaningful ► EY is known and respected for the depth and breadth of our
Automotive companies can reap sustained benefits by effectively implementing a solutions consistent with client’s objectives and cybersecurity practice.
connected car strategy expectations of EY.
► We are the market leaders in building, operating, and
OEMs Third party / others Customer ► Our approach is technology and partner agnostic, sustaining cyber security.
we leverage the best tools and team with the
► Our approach is founded in a firm repeatable process that
► Remote diagnostic and ► Telematics for fleet management ► Advanced assisted driving industry experts to deliver a complete end-to-end
is capable of flexing with the unique needs of connected
prognostic services capabilities service.
► Content creation and vehicle.
► Improve after sales and management services ► On demand infotainment ► The depth and breadth of our firm allows us to tap
support service into globally renowned subject matter resources
► Opportunities for telecom ► Augmented navigation
and industry leading methodologies.
► Leverage connected car offering companies in machine-to-
as unique differentiator and machine communication
improve customer loyalty in vehicle A robust connected vehicle cyber security strategy

► OEMs can offer significant value ► Companies can use driving usage ► Customers can be provided Strategic influences
to its customers by combining and car performance data to: with customized web portals,
various elements from online where they can view diagnostic Business and product strategy
► Optimize inventory for
applications, driver assistance, reports, download directions
spares
call center services and solutions to the vehicle or even unlock IT strategy Practical influences Desired outcomes
for the integration of mobile ► Feedback into new product the car’s doors
devices development Compliance Assessment Connected Safe vehicles
► The connected car lives in the
vehicle cyber
► Services provided by the ► Sending maintenance alert network and is open to cyber
Risk appetite Technical reviews security strategy Safe customers
company can include to customers and dealership threats; companies need to have
vehicle management, travel the balance between trust and
► Over-the-air tuning of
and navigation, parking, risk – not just risk level, but trust Mobility and industry trends
the vehicle
entertainment, information, level – how much assurance do
emergency call, vision and they have Emerging technologies
drive assistance
► Advanced assisted driving
capabilities can be provided by EY’s vehicle ecosystems: cyber security and privacy framework
leveraging sensors, analytics,
NLP, RPA and cloud computing

Car with various sensors

64 The car is connected now! But are we safe? The car is connected now! But are we safe? 65
 Connected car: how we see it!

Organization structure, roles and Risk identification, risk domains, risk Operational policies and standards
responsibilities, training and profiles, risk and controls library and that assist in achieving vehicle risk
awareness and personnel to support ratings criteria that define vehicle risk management objectives and effective
and execute the vehicle risk and for the affected populations management of IT risk
governance strategy

Face recognition Connected vehicle risk management governance and strategy Connected vehicle risk management governance and strategy Alignment with the
software identifies regulatory require-
the driver from the ments for maintaining
Organization (people, Risk identification
list of familiar drivers Policies and standards a secure vehicle
program, function) and profiling
added to the account ecosystem
and then only give
them access to Security and privacy process, risk and control framework Security and privacy process, risk and control framework
the car Design
methodologies and
Organization(people, program, function)

procedures to enable
Framework incorporating

New and emerging requirements

National and regional variation

secure vehicles
a vehicle security, risk

Regulatory requirements
Customer expectations

and control framework, Secure vehicle design Secure vehicle production Security vehicle operations Processes, proce-
including regulatory,
Supplier trust Secure development Risk management dures and methods
Innovation

leading practices and

Standard vehicle architecture Secure integration Security monitoring for operating the
internal requirements
Secure development Secure protocols and standards Change management vehicle security
Privacy consultation expectations OEM security requirements, Incident management framework
and requirements testingand validation Privacy, communication and
Business objectives Privacy process and control preference management Tools to facilitate
and board directives development vehicle risk
that drive program management
requirements governance and
strategy operational
processes and
Vehicle risk dashboard:
reporting framework
ongoing monitoring
and reporting on
Tools and technology Tools and technology
program effectiveness
and risk posture
Compliance monitoring and reporting Compliance monitoring and reporting

EY’s vehicle ecosystems: cyber security and privacy framework

66 The car is connected now! But are we safe? The car is connected now! But are we safe? 67
 For more information
please contact us.
Our team will happy Business Vinay Raghunath
Partner
Som Kapoor
Partner

to serve you.
[email protected] [email protected]

consulting Pallav Chatterjee Pratik Shah

Director Director
[email protected] [email protected]

Burgess S Cooper Jaspreet Singh

Technology Partner
[email protected]
Partner
[email protected]

consulting Akshay Tiku

Director
Sumit Malhotra
Senior Manager
[email protected] [email protected]

Key
Nitin Sethi Amit Punjani
Associate Director Associate Director
[email protected] [email protected]

Contributors Kanika Sharma

Consultant
[email protected]

68 The car is connected now! But are we safe? The car is connected now! But are we safe? 69
 Our office
Ahmedabad Delhi NCR Kolkata
22nd Floor, B Wing, Privilon, Golf View Corporate Tower B 22 Camac Street
Ambli BRT Road, Behind Iskcon Sector 42, Sector Road 3rd Floor, Block ‘C’
Temple, Off SG Highway, Gurgaon - 122 002 Kolkata - 700 016
Ahmedabad - 380 015 Tel: + 91 124 443 4000 Tel: + 91 33 6615 3400
Tel: + 91 79 6608 3800
3rd & 6th Floor, Worldmark-1 Mumbai
Bengaluru IGI Airport Hospitality District 14th Floor, The Ruby
6th, 12th & 13th floor Aerocity, New Delhi - 110 037 29 Senapati Bapat Marg
“UB City”, Canberra Block Tel: + 91 11 4731 8000 Dadar (W), Mumbai - 400 028
No.24 Vittal Mallya Road Tel: + 91 22 6192 0000
Bengaluru - 560 001 4th & 5th Floor, Plot No 2B
Tel: + 91 80 6727 5000 Tower 2, Sector 126 5th Floor, Block B-2
Noida - 201 304 Nirlon Knowledge Park
Ground Floor, ‘A’ wing Gautam Budh Nagar, U.P. Off. Western Express Highway
Divyasree Chambers Tel: + 91 120 671 7000 Goregaon (E)
# 11, O’Shaughnessy Road Mumbai - 400 063
Langford Gardens Hyderabad Tel: + 91 22 6192 0000
Bengaluru - 560 025 THE SKYVIEW 10
Tel: + 91 80 6727 5000 18th Floor, “Zone A” Pune
Survey No 83/1, Raidurgam C-401, 4th floor
Chandigarh Hyderabad - 500032 Panchshil Tech Park
Elante offices, Unit No. B-613 & 614 Tel: + 91 40 6736 2000 Yerwada
6th Floor, Plot No- 178-178A, (Near Don Bosco School)
Industrial & Business Park, Phase-I, Jamshedpur Pune - 411 006
Chandigarh - 160002 1st Floor, Shantiniketan Building Tel: + 91 20 4912 6000
Tel +91 172 6717800 Holding No. 1, SB Shop Area
Bistupur, Jamshedpur – 831 001
Chennai Tel: + 91 657 663 1000
Tidel Park, 6th & 7th Floor
A Block, No.4, Rajiv Gandhi Salai Kochi
Taramani, Chennai - 600 113 9th Floor, ABAD Nucleus
Tel: + 91 44 6654 8100 NH-49, Maradu PO
Kochi - 682 304
Tel: + 91 484 433 4000

70 The car is connected now! But are we safe? The car is connected now! But are we safe? 71
 Notes

72 The car is connected now! But are we safe? The car is connected now! But are we safe? 73
 Notes

74 The car is connected now! But are we safe? The car is connected now! But are we safe? 75
Ernst & Young LLP
EY | Assurance | Tax | Transactions | Advisory

About EY
EY is a global leader in assurance, tax, transaction
and advisory services. The insights and quality
services we deliver help build trust and confidence
in the capital markets and in economies the world
over. We develop outstanding leaders who team to
deliver on our promises to all of our stakeholders. In
so doing, we play a critical role in building a better
working world for our people, for our clients and for
our communities.

EY refers to the global organization, and may refer to

one or more, of the member firms of Ernst & Young
Global Limited, each of which is a separate legal
entity. Ernst & Young Global Limited, a UK company
limited by guarantee, does not provide services to
clients. For more information about our organization,
please visit ey.com.
Ernst & Young LLP is one of the Indian client serving member firms of
EYGM Limited. For more information about our organization, please visit
www.ey.com/en_in.

Ernst & Young LLP is a Limited Liability Partnership, registered under the
Limited Liability Partnership Act, 2008 in India, having its registered office
at 22 Camac Street, 3rd Floor, Block C, Kolkata - 700016

© 2020 Ernst & Young LLP. Published in India.

All Rights Reserved.

EYIN2005-007
ED None

This publication contains information in summary form and is therefore

intended for general guidance only. It is not intended to be a substitute
for detailed research or the exercise of professional judgment. Neither
Ernst & Young LLP nor any other member of the global Ernst & Young
organization can accept any responsibility for loss occasioned to any
person acting or refraining from action as a result of any material in this
publication. On any specific matter, reference should be made to the
appropriate advisor.

MK

ey.com/en_in
@EY_India EY EY India EY Careers India @ey_indiacareers

76 The car is connected now! But are we safe?