Auto Hack Attacks: It’s About Data Theft, Not Scrapping

Cars flying off cliffs. Panicked drivers unable to stop their vehicles while going through red lights. It’s the stuff of movie fantasies, a Hollywood idea of ​​hacking the software of modern cars.

But while cars spiraling out of control make a good box office, the reality of hackers breaking into cars and automaker networks is much more mundane and more of a real threat than anything Hollywood has portrayed.

Hacked cars IRL

Earlier this year, a security researcher in Germany managed to gain full remote access to: over 25 Tesla electric vehicles around the world. A vulnerability in the EVs’ web dashboard left them wide open to attacks. (The researcher warned Tesla, and the software has since been patched.)

Worse, in 2020, a ransomware attack on Honda forced the automaker to temporarily halt production at some plants in Europe and Japan. It’s more likely that this attack came through Honda’s IT infrastructure rather than its connected vehicles, but Honda has never disclosed which path it has taken. Ultimately, it doesn’t matter, because both are now inextricably linked.

In both cases, the danger was not turning off the headlights or turning off the brakes. The real goal was to access all the data that cars and car manufacturers now collect.

Car manufacturers place a high value on safety and have spent decades trying to reduce the number of accidents. They have also gotten better at physically separating a vehicle’s internet connection from driving a car. But the likelihood of Hollywood scenarios where consumer vehicles are converted into remote-controlled cars is slim and distracts from the security risks that nearly all consumers with connected cars face: harvesting their data.

Hackers want your data, not your life

From location information to credit card details in connected apps to bank account balances, cars are now a rolling repository of critical digital information. With Amazon’s Alexa, Google’s Assistant and Apple’s Siri ready to shop online, make calls and disable home security systems from the driver’s seat, the possibilities are almost endless. That’s where the money is and that’s where the vulnerabilities are.

And it’s not just high-tech electric cars connected to the Internet. According to an Otonomo questionnaire, about 41% of all cars sold in 2020 were connected cars. Coincidentally, one of the first published car hacking attacks by researchers was on a Jeep way back in 2015; tens of thousands of vehicles had to be patched and updated.

While hackers steal credit card information every day, connected cars represent a mishmash of attack vectors. An automaker can keep its own systems locked down and its security protocols up to date, but that usually can’t be said of the 200 or more suppliers that may be involved in providing parts and materials for a single car.

Third Party Vulnerability

Each of these suppliers and partners represents a potential attack point that can gain access to a car manufacturer’s systems. Add to that all the software connections, such as the third-party app that enabled the Tesla hacker, and the potential vulnerabilities multiply exponentially. Controlling your supply chain is difficult, and it becomes even more difficult when your suppliers provide software.

Ransomware attacks are currently the main hacking threat facing businesses. According to a Sophos questionnaireLast year, 37% of companies surveyed said they had been hit by a ransomware attack. Indeed, last year, the Toll Group, a global logistics and transportation company responsible for delivering parts around the world, including auto parts, was hit by ransomware. not once, but twiceforcing them to shut down IT systems affecting some 40,000 employees and customers in 50 countries.

That reinforces the true goal of the vast majority of hackers: not to push cars off cliffs, but to access the data in cars and networks, which are now rolling computers. Hackers can track anyone’s location – essentially using cars as a new form of espionage or ransomware fodder.

A back-to-the-basics solution

Protection against such hacks means going back to basics. Automakers must require and verify that every company in the supply chain has regular and complete security backups. Likewise, businesses large and small must constantly update and install all software patches, from server software to web apps. Two-factor authentication, password managers, and training to identify phishing scams are also essential tools for protecting automakers from breaches.

These security measures have been common sense for online businesses for years. Now it should also be common sense when it comes to cars.

Rick Van Galen is a security engineer at 1Password and a former ethical hacker.