A new Global Automotive Cybersecurity Report by Upstream Security reveals that car dealerships have been impacted by cyber threats for at least a decade, with the threats growing and expanding.
The report focuses on research into cyber attack trends in light of cybersecurity standards and regulations for 2021, and offers examples of how dealerships, in addition to other segments in the connected vehicle ecosystem, have been affected by cyber threats.
“With the continued rise of cyber attacks against the automotive industry and the regulatory requirements that were developed in response, now more than ever, automotive stakeholders must take heed of the cyber threat landscape,” said Oded Yarkoni, Upstream Security’s VP of Marketing.
In August 2020, for example, the report said “a Volkswagen dealership in Germany was the victim of a ransomware attack resulting in a major data leak that included invoices.” This was months before hackers used the malware Maze to lock the carrier system of a trucking company in Massachusetts for a week, while also making 781 megabytes of the company’s data publicly available online.
Other segments that have been impacted by cyber threats and attacks over the last decade include OEMs, Tier 1, Tier 2, TSP/fleet management, car sharing, car rental companies, logistics and delivery fleets, autonomous vehicles, ride sharing, electric vehicles, ride hailing and more.
Black- and White-hat hackers
According to Upstream Security, more than 200 automotive cyber threat/attack incidents were publicly reported in 2020, and most of those automotive attacks were carried by hackers with malicious intent.
“In 2020, 54.6 per cent of hacks were carried out by black-hat hackers to disrupt business, steal property, and demand ransom. (And) 39.1 per cent of hacks were committed by white-hat hackers and researchers, including those as part of an automotive bug-bounty program,” said the company in a news release.
Based on Upstream Security, Black-hat hackers will hack systems for personal gains or malicious reasons. But White-hat hackers are described as generally not having a malicious intent — typically breaking into protected systems for security validation, or to access vulnerabilities with the system. And they are often employed or rewarded by the hacked company (such as receiving a “bug bounty”) for reporting those vulnerabilities.
Bug bounties
Bug bounty programs in 2020 were hosted by OEMs such as Tesla, General Motors, Ford, Fiat Chrysler Automobiles (FCA), Daimler on platforms such as BugCrowd, HackerOne, or their own OEM website. (In January 2020, Tesla reportedly offered $1 million and a car as a bug bounty reward.) And dealerships have also hosted bug bounty programs.
Bug bounty programs in 2020 were hosted by OEMs such as Tesla, General Motors, Ford, Fiat Chrysler Automobiles (FCA), Daimler on platforms such as BugCrowd, HackerOne, or their own OEM website. (In January 2020, Tesla reportedly offered $1 million and a car as a bug bounty reward.) And dealerships have also hosted bug bounty programs.
Deep and dark web
But for those Black-hat hackers, dealerships and other automotive companies need to be extra cautious, as they may deal with below-the-surface information.
To clarify, the global web includes layers, such as the “surface” (“open” or “clear” web) that includes content such as automotive and cyber news, car enthusiast blogs and forums, academic and research papers, social media, and other ordinary and easily searchable content.
The deep web includes private social media groups, private messaging apps, paste sites, and private car-tuning forums and hacking forums. And the dark web includes malicious paste sites, illegal marketplaces, image boards, and closed hacking forums.
“Knowing and assessing automotive cyber threats both on the surface and on the deep and dark web is the first step in developing an effective cybersecurity management system and complying with the cybersecurity demands of both regulators and consumers,” said Yarkoni.
According to the report, some of the top cyber threat/attack incidents for 2020 include:
- In January, 4,118 vehicles were stolen in India, with cheap electronic devices that “enabled the thieves to bypass the engine control module, unlock the vehicle, start the engine, and access the vehicles’ computer.”
- In February, 19 vulnerabilities were found in a Mercedes-Benz E-Class vehicle, which allowed hackers to control the vehicle remotely — such as opening the doors and starting the engine.
- In May, hackers publicly offered to sell car rental information of 3.5 million Zoomcar users on the dark web.
- In June, Honda halted production of its vehicles in a number plants because its networks in both Europe and Japan were attacked with the Snake ransomware.
- In August, a hacker gained control of Tesla’s entire connected vehicle fleet by “exploiting a vulnerability in the OEM’s server-side mechanism.”
The most common attack vectors (hacker means of getting in) include servers (32.94 per cent), keyless entry/key fob (26.62 per cent), mobile apps (9.90 per cent), OBD port (8.36 per cent), and the infotainment, IT networks, and sensors, among other vectors.
So why should dealers invest in protecting their business? Aside from ensuring the business runs smoothly and personal/private information is not stolen or shared publicly, several surveys show that a significant percentage of consumers would not buy another car from a dealership if their data is compromised by a previous breach, or they would lose trust in the business.
As cyber threats increase with the COVID-19 pandemic, dealers across Canada may wish to re-evaluate how they are protecting their dealership, customers, and employees against cyber attacks.
