Back in April 2019, criminals accessed the Daimler Car2Go app to steal over 100 luxury vehicles in the Chicago area, leading the company to temporarily pause their entire service in the area. In this blog, we’ll take a closer look at how this happened, and how it could have been prevented.
According to Car2Go, around 100 luxury vehicles, mostly Mercedes, were stolen by a number of different users who accessed their app by fraudulent means. The company worked together with the police to try to locate the vehicles and thieves, and over a dozen arrests were made. That being said, the company was forced to temporarily pause their service in Chicago. Car2Go emphasized that this was “not a hack, but a case of fraud” and that none of their members’ private information was compromised. Even so, the damage was still substantial. Not only was expensive property stolen, but the theft left the company dealing with significant reputation damage and downtime.
The challenges are clear
The Car2Go theft shed light on a number of challenges that these types of companies face:
Let’s look at the above challenges and possible ways to overcome.
Mobile app = additional entry point
The mobile app introduces a significant vulnerability and can be used as an entry point to access the vehicles or even the telematics or car service’s servers. Additionally, mobile hacking has been a practice used by hackers for many years unrelated to connected vehicles, and one which is potentially easier than hacking into a car’s internal systems. By monitoring how the mobile app communicates with the vehicle and the company’s servers and combining that with data collected from all available sensors and sources, you can analyze the data for various anomalies in behavior, communication, and more.
Can fraud be detected?
It all comes down to behavior. Fraud may not be something very technical, like a hack, but it can be detected with reliable machine learning and behavioral analysis. By understanding what “normal” behavior looks like, by typical app users, vehicles, and drivers, fraud may stand out as anomalous behavior. Was the app accessed in a different manner than usual? Did the user behave strangely compared to typical user behavior patterns? It is likely that by understanding what normal usage and behavior is for Car2Go users, this situation could have been detected while the vehicles were being stolen, allowing Car2Go to lock the vehicles and contact authorities before so much damage was done.
At this scale, premeditation is likely
It is safe to assume that stealing over 100 luxury cars was not a spontaneous decision. In order to have planned this successfully, the thieves had to have tested out the app and conducted research on how to make their next move. Once again, this could have involved abnormal behavior that could have been early detected by behavioral analysis. In this case, it would have stopped them before they even carried out the theft.
Over 100 vehicles stolen at once
When multiple vehicles are stolen at the same time, an overall view of the entire fleet is very useful. Detecting an anomaly in one vehicle may be challenging in these situations, but when it happens to multiple vehicles at once, the car service company could be alerted to a potential fleet-wide attack, or this case – fraud. According to Car2Go, users must drop off the vehicles in the service zone, but they aren’t prevented from exiting the zone (Chicago) when driving. If multiple luxury vehicles are driven out of the service zone at the same time, this could have lit up a red flag in the SOC to be investigated, especially if the vehicles were being transported to the same area – data which would have been provided by the GPS.
Upstream C4 is a cloud-based cybersecurity solution designed to detect possible threats to connected vehicles and mobility service providers. The Car2Go theft is a particularly interesting case due to the method used to access the luxury vehicles. Because Upstream’s C4 platform monitors and analyzes data collected from the entire connected vehicle infrastructure (mobile app, cars, servers, APIs, etc.), it is able to detect anomalies in single vehicles or the entire fleet as a whole. C4 establishes a baseline for what normal activity and behavior looks like, allowing it to detect various behavioral anomalies. This includes anomalies in how the mobile app behaves, user interaction with the app, authentication and driver activity, and more. By detecting anomalies in real time and issuing timely alerts and red flags to the security analysts in the vehicle SOC (vSOC), companies are able to prevent attacks and significantly mitigate the damage before it’s too late.
For more information on automotive cyber incidents, read our eBook “Q1 2019 Sees Rapid Growth of Automotive Cyber Incidents” or schedule a demo.