The first 10 weeks of 2018 have already produced a wide and sophisticated range of automotive hacks for some of the world’s leading brands.
As modes of transport become increasingly connected, trains, vehicles and fleets of cars become vulnerable to cyber threats. More features and functionality mean more software, more complexity, more data and a wider attack surface – an attractive prospect to any cybercriminal.
Here’s a look at 10 of this year’s hacks to highlight just how frequently these hacks occur.
1. Rare Malware Targeting Uber’s Android App Uncovered. January 2018.
It seems as though malware writers are on an eternal quest to trick mobile users. Android malware disguised as Uber’s Android app has been collecting credentials and allowing attackers to take over accounts. To avoid suspicion, once the user filled in their username and password the malware used deep links to Uber’s legitimate app to pull and display the user’s location and pass itself off as the Uber app. Luckily, the breach was not not widespread, and the majority of Uber users were not at risk.
2. Canadian Train Company Targeted by North Korean Cyberattack. January 2018
Transportation enterprises are not out of the reach of hackers. MetroLinx, an Ontario-based transit agency, was the recipient of a network firewall breach which infected one of their internal systems. The official response from Metrolinx was that ‘at no time was customer private information compromised’, which was a lucky break considering that the company holds the personal information of more than 2.1 million customers. Metrolinx’ team of “ethical hackers”, whose job it is to detect and trace cyber threats, followed this attack back to a source in North Korea.
3. Australian Car-Sharing Company in Identity Theft Hack. January 2018
Large-scale identity theft is a particular challenge for fleet operators like car rental companies, which store large quantities of personal data. In Australia, a man was recently arrested on suspicion of hacking the database of car-sharing service GoGet and using stolen credentials to allegedly ride for free.
4. Charging Electric Cars: A Free Ride for Hackers. January 2018
As the number of electric cars grows, so does the number of charging stations where providers receive money in exchange for energy. This brings with it multiple inherent vulnerabilities which were raised by Mathias Dalheimer at the thirty-fourth Chaos Communication Congress. He was able to collect ID card numbers, imitate them and use them for transactions, rewire charging request and gain root access to the station.
5. Police Warning After Thieves Hack Into Keyless Entry Fob and Steal Cars. February 2018
In the UK, car thefts are becoming more sophisticated. Criminals are exploiting the vulnerabilities of the keyless entry system using pairs of radio transmitters by capturing the signal from the car’s fob. Police have issued a warning and guidelines to drivers about protecting cars with hi-tech opening devices.
6. Tesla Hackers Hijacked Amazon Cloud Account to Mine Cryptocurrency. February 2018
There have always been concerns about the safety and privacy of data stored in the cloud. Just a few weeks ago these fears were realized for the electric car giant Tesla when their Amazon cloud account was hacked and used to mine cryptocurrency. All it took was for Tesla’s credentials to be left on an unsecured IT administrative console that lacked password protection. The hackers took control of the console and ran scripts letting them mine digital coins. The breach also exposed proprietary data and is the latest in a string of so-called cryptojacking.
You can see an infographic of top real-world cyber threats highlighting the diversity of attack vectors already challenging connected car ecosystem players
7. FedEx Customer Information Exposed. February 2018
Big brands are often the target for data breaches and FedEx is no exception. A breach of their server exposed thousands of customers’ personal information, more than 100,000 scanned documents including passports, drivers licenses, and security IDs. FedEx claim that no information has been misappropriated.
8. For Cadillac, OBD-sniffing smells bad. February 2018
The On-Board Diagnostics (OBD II) port is a vital part of any connected car, often used to hook up to a range of aftermarket telematics units. After purchasing a Cadillac ELR, an electric car fanatic was unhappy with the limited data available from the Plug-In Hybrid Electric Vehicle’s built-in infotainment system. Having decoded the traffic on the CAN bus of the ELR he soon exposed the methodology of sniffing into the car’s OBD-II port, parsing the data stream to pull out useful CAN Bus data.
9. Hack on Tesla’s Model 3 Onboard Software Exposes Powertrain Secrets. February 2018
Tesla started delivering its Model 3 to customers late last year. As deliveries increase, so too do the hack attempts. Someone has already managed to hack the Model 3’s ‘factory mode’ (the onboard software version used to perform final tests and diagnostics before shipping the car out of the factory) exposing the car’s powertrain in the process and revealing information that Tesla has so far refused to publish.
10. Coming Soon! “The Bicho” where “The only limit is your imagination and the attack surface of the target car”
In April, Argentinian security researchers and hackers Sheila Ayelen Berta and Claudio Caracciolo are set to demonstrate a hardware backdoor for the CAN bus that can be controlled remotely. Dubbed “The Bicho” (Spanish for small bug), it supports multiple attack payloads and can be used against any vehicle that supports CAN, without limitations regarding manufacturer or model. Each one of the payloads is tied to a command that can be delivered via SMS from anywhere in the world. The warning from Berta is that “The only limit is your imagination and the attack surface of the target car.”
What’s next for the industry?
That’s 10 hacks in 10 weeks. The potential payoff for cyber attacks is so high that there’s no doubt that these hacks will continue and increase in sophistication.
Consider then, the impact of cyber-hacking not one train, truck or car, but an entire fleet of cars. In a recent KPMG report, Gary Silberg, National Automotive Leader at KPMG said ‘Our study of automotive industry and cyber security trends indicates that singular vehicle attacks may soon be a thing of the past giving way to an influx of fleetwide cyber attacks’. You can read about the progressively serious cyber risks that could happen to entire fleets or cars in the report.
The war between hackers and OEMs has begun. While one component may be secure on its own, weaknesses will be introduced as soon as it is combined with another. Connectivity to internal and external channels add huge complexity and widen the attack surface.
This risk can be alleviated by ensuring that automotive security solutions are designed to support a centralized cloud-based platform. Cyber solutions must be able to understand and distill the massive amounts of data created by fleets. Upstream helps corporations mitigate the risks of connectivity with a clear focus on our customers’ success in order to protect their vehicles and infrastructure.
Upstream’s 1000th Automotive Cybersecurity Incident: Use NFC Card to Gain Control in 130 Seconds
As a part of Upstream’s ongoing effort to monitor, analyze and assess the impact of automotive-related cybersecurity incidents and vulnerabilities, we recently marked an important…Read more
Charging Station’s Cybersecurity Risks Endanger EV Adoption
Automakers and consumers are experiencing a breakthrough in electronic vehicle (EV) adoptability. Wide-spread easily accessible charging station networks are quelling range anxiety and replacing it…Read more
Protecting Vehicles Requires a Fresh Outlook on Product Cybersecurity
Cybersecurity is an ever-transforming realm. As vehicles become significantly more connected, the threat landscape increases exponentially. In the race between threat actors and security teams,…Read more
Cybersecurity for Connected Vehicles: From Cost Centre to Value Centre (Part 2)
This blog is part of a series on the monetization of connected vehicles through cloud-based agentless cybersecurity tools, written by Ric Vicari, Upstream’s UK-based VP…Read more