FBI says hackers are targeting US auto industry
The American automotive industry has been the target of malicious cyber actors since at least late 2018, according to an FBI report obtained by CNN.
Jonathan Deveaux, head of enterprise data protection at comforte AG, commented:
“Data security from yesterday may not protect organizations tomorrow. With more cyberattacks looming in the auto industry, companies need to deploy cyber defenses that are more effective. Unfortunately, perimeter security, stronger passwords, or even intrusion detection are still being bypassed due to sophisticated techniques and vulnerabilities. Insider attacks have already proven that no matter how much investment is spent in some of these areas, attackers may already be on the inside. Since ‘disruption of operations’ and ‘stealing exploitable data’ are what bad actors are after – it would seem prudent to incorporate security that protects the data itself. A whopping 96% of data breaches transpired on sensitive data was left unprotected – without some sort of data encryption or tokenization. A data-centric security approach helps organizations deploy data protection focused on security and maintaining privacy on the data itself. There is light at the end of the tunnel – it is possible to reduce the likelihood of getting hacked, and to also maintain data protection and data privacy in case attackers do get through perimeter defenses and intrusion detection. A combination of security approaches helps all organizations, not just in the auto industry, remain resilient in the face of growing cyberattacks.”
Javvad Malik, Security Awareness Advocate, KnowBe4:
“Aside from something with criminals attacking companies for financial gain, there are state-sponsored and other groups engaged in espionage against specific industries and the automotive industry is no exception. While the FBI has not offered details in its report, it is clear that these criminal actors often gain access through phishing emails or by compromising weak credentials. As such, user awareness and training is is an essential part of protecting organisations. A strong security culture can help protect against attacks through phishing and also no reduce the likelihood that employees will use weak passwords or reuse passwords across different services. Beyond that companies should also have good monitoring and threat detection controls in place so that if they are breached, threats can be detected and remediated in a timely manner.”
Raphael Reich, Vice President, CyCognito:
“In today’s hyperconnected world, discovering attack vectors such as software vulnerabilities means first discovering all of the assets in an organization’s attacker-exposed IT ecosystem. But, many of these assets and their associated risks lurk in the shadows because they are unmanaged by the organization itself. Instead, the assets belong to cloud providers, partners, subsidiaries, etc. Finding and eliminating this shadow risk is a prerequisite to keeping attackers out of organizations.”
According to Jason Kent, Hacker in Residence at Cequence Security:
“Over time we’re seeing more and more research going into automotive systems. The big conferences have complete automotive electronics labs (Car Hacking Villages) dedicated to those that want to learn more about how these systems work. As more and more things are understood about how the connected networks work and what they are for, more vulnerabilities are discovered. The connected car vulnerabilities that are reported often use methods that weren’t expected. Hacking in via the Sprint Network that carries the data for an in-car WIFI or utilizing telemetry and maintenance systems that look for access points at the dealer service garage, has meant that we can find the flaws and identify their impact to the vehicle. The standard workflow applies, now someone needs to have a reason to instrument an attack.
With all these connected systems, it’s possible that physical proximity could mean changing the digital identity of the vehicle, and theft tends to be one compelling reason. What if one’s goal was reputational damage? What are the odds an angry customer would want to do a hard shut down of all of a specific manufacturer or model’s systems requiring the cars to be towed to a dealership to be reset? Pulling off an attack where every vehicle is impacted is going to require some sophisticated automation akin to what we are seeing in automated attacks on a daily basis.
One vulnerability that impacts a large number of endpoints is an opportunity for automation; motivation will drive how the attacks will impact the manufacturers and consumers. Diligence for an ever changing attack surface is going to take an understanding of all the factors that drive motivation for the attack.”
According to Colin Bastable, CEO of Lucy Security:
“Consumers certainly need to be alert to the dangers that “smart” technologies such as automotive telematics represent to their data privacy. As we have discovered from recent smart home data privacy issues involving Amazon and Google, data is being exploited and monetized in ways that consumers do not readily comprehend, and so it is with the automotive industry. If data can be monetized, it can be stolen. Most technologies do not start with security baked into the pie, as we see with IoT – they are designed with ease of deployment and convenience of use foremost in mind, which is why so much data gets stolen by motivated hackers.
One suspects that the primary driver for these attacks on the Auto industry – not just the US industry – is theft of Intellectual property. With its reliance on dealer networks, integrated supply chains and myriad third party consultants, finance businesses, government regulators and contractors, the Auto industry is wide open. What seems to be an attempt to steal consumer data may be cover for an advanced persistent threat, designed to steal intellectual property.
With the advent of autonomous delivery systems, such as driverless trucking, delivery drones and self-driving cars, there should also be serious concern about the possibilities of terrorists and state actors hijacking vehicles via embedded malicious code or other means. Disabling a driver disables a truck, but stopping an autonomous truck in a busy tourist area will be a different ball game.”