The automotive industry has long been the target of numerous cyberthreats across its software supply chain. Some of these include specific car hacking exploits that have been demonstrated by security researchers which have motivated massive vehicle recalls such as the car hacking work which necessitated the 2015 recall of 1.4M FiatChrysler cars.
Studying this rich history is important for computer professionals in other industries for several reasons. First, the methods of compromise aren’t necessarily car-centric and have general cybersecurity implications. These cyberthreats are relevant for a wide variety of circumstances, regardless of whether you work for other manufacturing-based businesses or a bank or a hospital. The threat of compromised software supply chain security sadly is now far and wide. Second, cars have become complex digital environments. The average vehicle being made today has dozens of electronic control units. This means a car could be running 100 million lines of code, according to this source. This is twice the amount of code that makes up Windows itself, and more than is used in Apple’s MacOS. Electronics wiring alone is estimated to add 45-65 pounds to each vehicle.
Car hacking is therefore a target of opportunity, and more importantly, car-based cyberthreats can be easily understood even by non-technical managers who might be reluctant to invest in better endpoint security. Finally, the automotive breaches are also good illustrations of common devops security and network security failures, such as unprotected cloud data assets, inadequate API data security and poor password hygiene that can be found across numerous Internet of Things (IoT) situations.
Let’s look at some of the more notable recent car-related developments. Earlier this year, security researcher Sam Curry posted a series of car hacking exploits that could have implications for more than a 1M vehicles from 16 different major brands. He was able to fully remotely lock and unlock and start and stop various engines as well as enable remote management of other car functions. These hacks included SSO account takeovers, remote code execution, privilege escalation – all common exploits for IT operations.
In terms of careless data handling, a software supplier of Nissan was breached in an incident that occurred in June 2022. An unsecured cloud database was exposed, and a hacker collected almost 18,000 customer names, including birth dates and other private data. This was the second time the company’s data was exposed, with another incident happening in January 2021 that leaked 20 GB of data from an unprotected Git server. The issue is that supply chain security must be applied across a myriad of software suppliers and interconnected applications, all of which have their own potential API data security vulnerabilities.
Curry’s cyberthreats may be the most recent, and have widest impact, but there have been antecedents of both car hacking and careless data handling prior to his efforts. In terms of the former, back in 2019, hackers gained access to thousands of vehicles that were running two different GPS tracking apps and were able to remotely turn off running engines. It helped matters immensely that the tracking apps had easily guessed default passwords that weren’t ever changed by their owners. And even further in the past, cyber-security researchers Chris Valasek and Charlie Miller turned to car hacking and were able to compromise a single vehicle via an API vulnerability in the infotainment system in 2015.
But wait, there is more: The automotive industry has also been the target of numerous ransomware events, including:
- At the end of 2022, Volvo was subject to a ransomware attack and the data sold on the dark web. The Endurance malware group behind this attack also claimed responsibility for an earlier attack on Autotrader.com, although the company claims this data was already in the public domain and contained outdated information.
- In March of 2022, Snap-On, a major transportation tool maker, also was attacked by Conti. The same month, Denso, the world’s largest automotive component manufacturer, was attacked by the Pandora malware group with data leaked to the darkweb and Toyota had to shut down 14 of its plants after a separate supply chain ransomware attack.
- In July 2021 Volkswagen and Audi suffered a ransomware attack attributed to the Conti malware group, with emails, vehicle ID numbers and physical addresses of customers.
- And a June 2020 ransomware attack that temporarily suspended production on some of Hondo’s manufacturing plants across the globe.
Here are some suggestions to improve automotive software supply chain security and move towards better devops security practice. And some things to think about, even if you aren’t in this particular market segment.
- Secure your various manufacturing processes, including improvements in network segmentation and monitoring network traffic to detect malware intrusions and compromised accounts and improvements in overall network security.
- Secure connected cars, including better threat detection and network segmentation across in-car systems. As cars make use of the internet for communications, reporting traffic and driving conditions and delivering streaming services, these connections bring greater risk of cyberthreats.
- Software supply chain security, especially with telematics and other in-car software controls. This includes better API security and devops security, including protecting application secret keys, better encryption of communication channels (such as employing SSL and TLS between applications) and not using default passwords that are easily guessed. As we have cited above, thanks to unprotected software supply chains, a single piece of software could eventually harm the entire vehicle, or expose private data.
This article on how to steal a car by bypassing using its physical entry key is scary.