Feb 12 2024

Integrating cybersecurity into vehicle design and manufacturing

Category: cyber security,Security Architecturedisc7 @ 10:12 am
Integrating cybersecurity into vehicle design and manufacturing

In this Help Net Security interview, Yaron Edan, CISO at REE Automotive, discusses the cybersecurity landscape of the automotive industry, mainly focusing on electric and connected vehicles.

Edan highlights the challenges of technological advancements and outlines strategies for automakers to address cyber threats effectively. Additionally, he emphasizes the importance of consumer awareness in ensuring vehicle security.

Can you describe the state of cybersecurity in the automotive industry, especially in the context of electric and connected vehicles?

The automotive industry is experiencing a digital breakthrough transforming how vehicles are designed, manufactured, and used, primarily driven by the introduction and popularity of electric and autonomous vehicles. Technological advancements have been introduced and integrated throughout the vehicle life cycle. This brings numerous benefits like enhanced safety and improved efficiency to the cars we drive daily, but it also brings new and pressing cybersecurity challenges.

Now that our vehicles are becoming increasingly connected to the internet can go through Over-the-Air (OTA) updates, use remote management, contain Advanced Driver Assistance Systems (ADAS), and employ AI, the potential avenues for cyberattacks have expanded for threat actors to exploit in a significant way.

What steps are automakers taking to address cybersecurity challenges in their latest vehicle models?

We use different forms and increasing amounts of software in our vehicles. The first challenge is in the supply chain, not just in terms of who provides the software; the issue penetrates each layer. Automakers need to understand this from a risk management perspective to pinpoint the onset and location of each specific risk. Suppliers must be involved in this process and continue to follow guidelines put in place by the automaker.

The second challenge involves software updating. As technology continues to evolve and more features are added, cybercriminals find new ways to exploit flaws and gaps in systems that we may not have been aware of because of the newness of the technology. Regular software updates must be administered to products to patch holes in systems, improve existing vulnerabilities and improve product performance.

In order to address these challenges, automakers need to conduct an initial risk assessment to understand what kind of threats and the type of threat actors are active within each layer of the product and supply chain in the automotive industry. From the experience gained from the initial risk assessment, a procedure must be put in place to ensure each internal and external employee and supplier knows their role in maintaining security at the company.

The procedure determines which types of threat actors are active within the automotive industry, where they are located, and each threat’s severity. This is complicated because threat actors reside worldwide in large numbers, and each group uses various forms of attacks to various degrees. Automakers use the information collected daily to help protect their assets. Additionally, audits must be conducted regularly to evaluate each supplier and employee to verify the procedures are followed correctly, don’t need to be updated, etc.

Can you explain how vehicle manufacturers integrate cybersecurity into the design and development process?

Once you have a factory line running, the first step to integrate cybersecurity into the manufacturing process is to secure the operation technology (OT) policy by understanding the risk and how to close the gaps. Manufacturers must deal with OT threats, which involve thousands of unique threats coming from the product lines, sensors, and other equipment involved in the manufacturing process, instead of systems like computers.

These threats can be especially dangerous if left ignored because of the simplicity of the equipment used in this stage. Suppose you are a threat actor and you want to damage an automaker. In that case, it is much more difficult to conduct a cyberattack on the cloud or the employees of an automaker. Still, the factory line is easier to attack because it uses equipment that is easier to breach and actions are less detected. This is a very common area for threat actors to target.

What key strategies are you recommending for protecting connected and electric vehicles against cyber threats?

Automotive companies must take a proactive approach to addressing cybersecurity threats instead of being reactive. This allows security teams to avoid threats instead of responding later once the damage has already been done. A few proactive strategies I’d recommend for companies are the following.

  • Conduct a risk assessment to understand and prioritize current and future risks.
  • Develop company-wide security policies and procedures so all employees know their roles in maintaining security.
  • Hold regular security training and awareness programs to educate employees.
  • Implement strong network security measures, including firewalls, detection systems, and encryption, to monitor your network traffic for any anomalies regularly.
  • Regularly backup critical data and store it in secure locations.
  • Develop a comprehensive incident response plan outlining steps to be taken during a cyberattack.
  • Conduct periodic security audits to evaluate the effectiveness of security measures and identify improvement areas.

Cybersecurity is an ongoing process that requires constant vigilance and adaptation – current strategies will likely become outdated and need to be reworked as new threats emerge.

What role do regulatory bodies play in shaping cybersecurity standards for electric and connected vehicles?

Regulatory bodies play a role in shaping cybersecurity standards, but they do not help you secure your products directly – that is up to each individual player in the automotive supply chain. The goal of regulatory bodies is to provide automakers with best practices on steps to take in the event of a cyber hack, what players to communicate with, and how deep to reach depending on the severity of the threat.

Once an automaker is compliant with certain regulatory rules, they will then ask the regulatory bodies to come to conduct an onsite visit, where they conduct an audit for months at a time, trying to hack each layer they can and look for any areas of weakness, to identify what needs to be patched up. This process needs to be repeated until the automaker is fully compliant.

What are the best practices that consumers should be aware of to ensure the cybersecurity of their electric or connected vehicles?

Consumers need to make sure the data collected in the vehicle stays private. For example, if you have an electric vehicle (EV) and you need to charge it, you might visit a public charging station. Not many people know this, but your vehicle data can be easy to hack at public charging stations because you are not only transferring electricity but also data.

To prevent this from happening, vehicle owners need to ask the right questions. Owning an EV is no different than when a homeowner goes to buy a large kitchen appliance, for example. The right questions need to be asked, including – who made it, whether the company has a cybersecurity procedure in place, whether it is currently compliant with regulatory body requirements, etc. Making sure that all software is regularly up to date is also essential. EV users must download official software from trusted brands using a secure network.

Along with automakers, consumers are partially responsible for their own security, which needs to be stressed to the general public more. Without this knowledge, consumers are left highly vulnerable to hacks from cybercriminals.

 InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: auto security, Car Security, Connected cars

Sep 05 2023

Connected cars and cybercrime: A primer

Category: Cybercrimedisc7 @ 9:30 am
Connected cars and cybercrime: A primer

Analysis of chatter in criminal underground message exchanges, however, reveals that the pieces exist for multi-layered, widespread attacks in the coming years. And given that the automotive industry’s customary development cycles are long, waiting for the more sophisticated cyberattacks on connected cars to appear is not a practical option.

What should the world’s automotive OEMs and suppliers do now to prepare for the inevitable transition from today’s manual, car-modding hacks to tomorrow’s user impersonation, account thefts and other possible attacks?

How connectivity is changing car crime

As our vehicles become more connected to the outside world, the attack surface available to cybercriminals is rapidly increasing, and new “smart” features on the current generation of vehicles worldwide open the door for new threats.

Our new “smartphones on wheels”—always connected to the internet, utilizing many apps and services, collecting tremendous amounts of data from multiple sensors, receiving over-the-air software updates, etc.—stand to be attacked in similar ways to how our computers and handheld devices already are today.

Automotive companies need to think now about those potential future threats. A car that an OEM is planning today will likely reach the market in three to five years. It will need to be already secured against the cyberthreat landscape that might be in existence by then. If the car hits the market without the required cybersecurity capabilities, the job of securing it will become significantly more difficult.

The likelihood of substantially more frequent, devious, and harmful attacks is portended by the complex attacks on connected cars that we have seen devised by industry researchers. Fortunately, the attacks to this point largely have been limited to these theoretical exercises in the automotive industry. Car modding – e.g., unlocking a vehicle’s features or manipulating mileage – is as far as real-world implementation has gotten.

Connectivity limits some of the typical options that are available to criminals specializing in car crime. The trackability of contemporary vehicles makes reselling stolen cars significantly more challenging, and even if a criminal can manage to take a vehicle offline, the associated loss of features renders the car less valuable to potential buyers.

Still, as connectivity across and beyond vehicles grows more pervasive and complicated, so will the threat. How are attacks on tomorrow’s connected cars likely to evolve?

Emerging fronts for next-generation attacks

Because the online features of connected cars are managed via user accounts, attackers may seek access to those accounts to attain control over the vehicle. Takeover of these car-user accounts looms as the emerging front for attack for would-be car cybercriminals and even criminal organizations, creating ripe possibilities for user impersonation and the buying and selling of the accounts.

Stealing online accounts and selling them to rogue collaborators who can act on that knowledge tee up a range of future possible attacks for tomorrow’s automotive cybercriminals:

  • Selling car user accounts
  • Impersonating users via phishing, keyloggers or other malware
  • Remote unlocking, starting and controlling connected cars
  • Opening cars and looting for valuables or committing other one-off crimes
  • Stealing cars and selling for parts
  • Locating cars to pinpoint owners’ residential addresses and to identify when owners are not home

The crime triangle takes shape

Connected car cybercrime is still in its infancy, but criminal organizations in some nations are beginning to recognize the opportunity to exploit vehicle connectivity. Surveying today’s underground message forums quickly reveals that the pieces could quickly fall into place for more sophisticated automotive cyberattacks in the years ahead. Discussions on underground crime forums around data that could be leaked and needed/available software tools to enable attacks are already intensifying.

A post from a publicly searchable auto-modders forum about a vehicle’s multi-displacement system (MDS) for adjusting engine performance, is symbolic of the current activity and possibilities.

Another, in which a user on a criminal underground forum offers a data dump from car manufacturer, points to the possible threats that likely are coming to the industry.

Though they still seem to be limited to accessing regular stolen data, compromises and network accesses are for sale in the underground. The crime triangle (as defined by crime analysts) for sophisticated automotive cyberattacks is solidifying:

  • Target â€” The connected cars that serious criminals will seek to exploit in the years ahead are becoming more and more prevalent in the global marketplace.
  • Desire â€” Criminal organizations will find ample market incentive to monetize stolen car accounts.
  • Opportunity â€” Hackers are steeped in inventive methods to hijack people’s accounts via phishing, infostealing, keylogging, etc.

Penetrating and exploiting connected cars

The ways for seizing access to the data of users of connected cars are numerous: introducing malicious in-vehicle infotainment (IVI) apps, exploiting unsecure IVI apps and network connections, taking advantage of unsecure browsers to steal private data, and more.

Also, there’s a risk of exploitation of personally identifiable information (PII) and vehicle telemetric data (on a car’s condition, for example) stored in smart cockpits, to inform extremely personalized and convincing phishing emails.

Here’s one method by which it could happen:

  • An attacker identifies vulnerabilities that can be exploited in a browser.
  • The attacker creates a professional, attractive webpage to offer hard-to-resist promotions to unsuspecting users (fast-food coupons, discounts on vehicle maintenance for the user’s specific model and year, insider stock information, etc.)
  • The user is lured into visiting the malicious webpage, which bypasses the browser’s security mechanisms
  • The attacker installs backdoors in the vehicle IVI system, without the user’s knowledge or permission, to obtain various forms of sensitive data (driving history, conversations recorded by manufacturer-installed microphones, videos recorded by built-in cameras, contact lists, text messages, etc.)

The possible crimes enabled by such a process are wide ranging. By creating a fraudulent scheme to steal the user’s identity, for example, the attacker would be able to open accounts on the user’s behalf or even trick an OEM service team into approving verification requests—at which point the attacker could remotely open the vehicle’s doors and allow a collaborator to steal the car.

Furthermore, the attackers could use the backdoors that they installed to infiltrate the vehicle’s central gateway via the IVI system by sending malicious messages to electronic control units (ECUs). A driver could not only lose control of the car’s IVI system and its geolocation and audio and video data, but also the ability to control speed, steering and other safety-critical functions of the vehicle, as well as the range of vital data stored in its digital clusters.

Positioning today for tomorrow’s threat landscape

Until now there might have been reluctance among OEMs to invest in averting cyberattacks, which haven’t yet materialized in the real world. But a 2023 Gartner Research report, “Automotive Insight: Vehicle Cybersecurity Ecosystem Creates Partnership Opportunities,” is among the industry research documenting a shift in priorities.

Driven by factors such as the significant risk of brand and financial damage from cyberattacks via updatable vehicle functions controlled by software, as well as emerging international regulatory pressures such as the United Nations (UN) regulation 155 (R155) and ISO/SAE 21434, OEMs have begun to emphasize cybersecurity.

And today, they are actively evaluating and, in some cases, even implementing a few powerful capabilities:

  • Security for IVI privacy and identity
  • Detection of IVI app vulnerabilities
  • Monitoring of IVI app performance
  • Protection of car companion apps
  • Detection of malicious URLs
  • 24/7 surveillance of personal data

Investing in cybersecurity in the design stage, versus after breaches, will ultimately prove less expensive and more effective in terms of avoiding or mitigating serious crimes involving money, vehicle and identity theft from compromised personal data by the world’s most savvy and ambitious business criminals.

Building Secure Cars

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Connected cars

Jan 10 2023

Automotive Industry Exposed to Have Major API Vulnerabilities

Category: cyber securityDISC @ 4:42 pm
Automotive Industry Exposed to Have Major API Vulnerabilities

The impacted automotive giants include BMW, Toyota, Ford, Honda, Mercedes-Benz and many more…

These API vulnerabilities exposed vehicles to information theft, account takeover, remote code execution (RCE), and even hijacking of physical commands such as starting and stopping engines.

Millions of vehicles belonging to 16 different manufacturers had completely exposed API vulnerabilities which could be abused to unlock, start, and track cars while also impacting the privacy of the vehicle owners.

These vulnerabilities were found by security researcher Sam Curry who conducted in-depth research into the security loopholes of the automotive industry along with researchers Neiko Rivera, Brett Buerhaus, Maik Robert, Ian Carroll, Justin Rhinehart, and Shubham Shah. 

Automotive Industry Exposed to Have Major Vulnerabilities

In a detailed report, Curry laid out vulnerabilities found in the automotive APIs powering several automotive giants including the following:

  • Kia
  • BMW
  • Ford
  • Honda
  • Acura
  • Jaguar
  • Nissan
  • Porsche
  • Toyota
  • Ferrari
  • Spireon
  • Reviver
  • Genesis
  • Hyundai
  • Infiniti
  • SiriusXM
  • Land Rover
  • Rolls Royce
  • Mercedes-Benz

According to researchers, information theft to account takeover, remote code execution (RCE), and even hijacking physical commands such as starting and stopping engines of cars were all real possibilities that hackers could access before the security vulnerabilities were fixed by respective manufacturers following responsible disclosure. 

Spireon’s telematics solution faced the most serious of issues which could have been exploited to gain full administrator access to the company’s platform, enabling a threat actor to issue arbitrary commands to about 15.5 million vehicles as well as update device firmware. 

“Using our access, we could access all user accounts, devices (vehicles), and fleets,” Curry said. “Some of the fleets on the website included ambulances, police cruisers, and large trucks. Using the Spireon access, we could send fully arbitrary commands and update device configurations.”

Another vulnerability reported in the researchers’ findings showed that a poorly configured API endpoint for generating one-time passwords for the web portals of BMW and Rolls Royce could allow attackers to take over the accounts of any employee and contractor, thereby gaining access to sensitive customer and vehicle information. 

A poorly implemented SSO functionality in Ferrari’s web applications allowed the researchers to gain unrestricted access to the JavaScript code of several internal applications. The source code contained internal API keys and usage patterns, allowing potential attackers to create and modify users’ or (worse yet) give themselves superuser permissions. The vulnerabilities effectively allowed attackers to take ownership of Ferrari cars.

A misconfiguration in the Mercedes-Benz single sign-on (SSO) system enabled the researchers to gain access to several internal company assets, including private GitHub repositories and internal communication tools.

Attackers could pose as employees, allowing them to access sensitive information, send commands to customer vehicles, perform RCE attacks, and use social engineering to escalate their privileges across the Mercedes-Benz infrastructure.

“There were some car companies where you’d own one, then copy the exact same methodology to another car company and get in with the same vulnerability,” Curry wrote in a blog post.

The researchers found that some flaws existed across the platforms of several companies, including tons of exposed actuators (vehicle component control), debug endpoints, and administrative functions for managing vehicles, purchase contracts, and telematic devices.

This only goes to show that as much of a hurry as these car companies were to install these devices, they completely overlooked the task of securing their online ecosystem. 

Infosec books | InfoSec tools | InfoSec services

Tags: Car Hacker, Car Security, Connected cars