By David Geer
CSO | JAN 27, 2017 3:37 AM PT
Credit: REUTERS/Noah Berger
Modern vehicles increasingly connect to the rest of the world via short range wireless technologies such as Wi-Fi and Bluetooth, wired interfaces such as OBD-II and USB, long range wireless communications such as 4G and the coming 5G for internet, and services such as OnStar, LoJack, and Automatic, to name only some. That world includes your enterprise and the criminal hackers and cyber carjackers who want to undo your data, your corporate fleets, and your people.
The costs of their attacks include exposure of personal identifiable information and private data, and exposure or destruction of valuable intellectual property, according to Eric Friedberg, co-president at Stroz Friedberg. Loss of life in the midst of vehicle destruction/collision weighs heavily as a potential personal, professional, and corporate cost, as well.
CSO explores the vulnerabilities and risks of automotive cyber-attacks and methods for securing your data, human resources, and the connected vehicle environment.
Automotive cyber threats to carmakers and other enterprises
The threat to automakers is expansive. Phishing attacks or attacks against insecure Wi-Fi and remote access connections, websites, partner and vendor networks, and the physical perimeter can give a cyber-criminal a foothold into the entire corporate network via the connected car ecosystem, says Friedberg.
Attackers then escalate their newly-hacked privileges to access customer PII, gateways into manufacturing networks, connectivity to safety systems and industrial controls, sensitive emails, the software development environment, and other sensitive information about the car or customer, says Friedberg.
■ RELATED: How vulnerable are you behind the wheel of your connected car?
“Once they obtain broad privileges, hackers can discretely perform unauthorized actions including stealing, deleting, or corrupting data, as they have in high-profile retail, healthcare, manufacturing, and pharma cases over the past several years,” says Friedberg. That’s the prognosis inside the automotive industry.
Clearly, access to the vehicle could also lead to access to the data owned and used by the company whose people are driving these cars as well as access to employee and passenger personal data. According to Dan Klinedinst, senior vulnerability analyst, CERT Division, Software Engineering Institute, Carnegie Mellon University, there are two scenarios where the enterprise’s data is at risk:
An attacker controlling the vehicle’s computers could access a BYOD or corporate tablet, laptop, or smartphone connected to the car via Bluetooth, Wi-Fi, or USB without going through corporate security controls (e.g., firewalls.) Most recent model cars have an internet connection via a cellular modem.
Fleet vehicles that companies manage from servers on the corporate network are part of that network, but may not have the same security controls as other network devices (e.g., access controls, anti-virus).
As for employees, the primary threat is injury or loss-of-life if attackers access the control components of the car (powertrain, brakes, accelerator), says Klinedinst. Even without that access, an attacker can compromise an employee’s privacy by monitoring where and how they drive, connecting to their personal devices, or even attacking the in-car microphones used for hands-free calling, he says.
Finally, cars are at risk because the computers that provide driving information (gas mileage, average speed, geolocation) have access to the vehicles’ internal networks, says Klinedinst. “Criminal hackers can leverage these to unlock and start the car (for theft), stall the car, prevent it starting, crash it, or simply cause maintenance issues."
How to protect your data used in/with vehicles against automotive cyber threats
Many of the same security measures that can protect corporate data can also safeguard the lives and welfare of the employees who are using and passing data in these vehicles. With that kind of motivation, you should already have won half the battle for employee education and cooperation in thwarting automotive cyber threats.
According to Klinedinst, the enterprise should consider whether employees’ devices, corporate-owned or BYOD, are secure against hostile Wi-Fi/Bluetooth/USB devices. “As a policy, employees should not sync their mobile devices to unfamiliar cars (rentals, for example),” says Klinedinst; “Information technology security policies such as patching, asset management, monitoring and vulnerability management need to apply to fleet vehicles.”
Criminal hackers can leverage these to unlock and start the car (for theft), stall the car, prevent it starting, crash it, or simply cause maintenance issues.
Dan Klinedinst, senior vulnerability analyst, CERT Division, Software Engineering Institute, Carnegie Mellon University
According to David Barzilai, automotive cyber security expert, chairman and Co-founder at Karamba Security, teach employees to protect your data and themselves by following these policies:
Never plug an unidentified USB drive into the auxiliary port in your infotainment system.
Keep to the vehicle service schedule for periodic updates, which the FBI also recommends.
If the automaker recalls the car for cyber issues, comply with the recall request ASAP.
Avoid installing external devices into the vehicle’s OBD-II port.
Managers of corporate fleets should follow best practices such as these from Barzilai:
Require vendors who provide dongles to harden these gadgets against security bugs.
Demand that these providers deliver monthly reports of newly discovered CVEs (common vulnerabilities and exposures) in your dongles and how to protect the devices against exploitation.
Check what car manufacturers offer detection and prevention of malware. You may want to prefer those.
How to protect vehicles against cyber threats
Because the automotive ecosystem is highly connected from one end to the other, a vulnerability in any component across vehicle systems is an entry point for hackers looking to pivot from one system to the next, says Friedberg. “Auto executives must insist on a systematic approach to the security of the entire ecosystem—not looking at the vehicle in isolation, but working across the corporate, manufacturing, vehicle management, supply chain, and aftermarket networks that stand behind every connected car."
Organizations should take specific technical steps to ensure automotive security including hacking themselves in tabletop exercises and adding applications and methodologies such as encryption, strong authentication, digital signing, and intrusion detection to the next versions of the CAN bus and components to protect corporate networks, says Friedberg.
Enterprises using connected fleets need to ask vendors how they secure their vehicles and what they offer in security for third-party fleet management and insurance devices that plug into OBD-II, says Klinedinst. “Mature vendors will have a vulnerability response capability, the ability to issue security patches quickly and safely, the results of third-party security assessments, and ready answers for how their products meet industry standard security controls,” says Klinedinst.
■ RELATED: Buckle up: Security threats to connected cars get real
“Ensure that you do any remote fleet management over encrypted channels using authentication, limiting access to the people/computers that need it, and following other best practices for secure access to important assets,” says Klinedinst.
How to protect your people against automotive cyber threats
Manufacturers should provide the minimum amount of access necessary between internet-connected computers and the safety-critical components, says Klinedinst. Fleet managers and information technology security should work together to keep fleet management services secure.
Enterprises should also consider how much information they can gather about employees from their vehicles. If they choose to collect that information, they should properly secure it against both criminal hackers and malicious insiders, says Klinedinst.
If automakers, your enterprise, information technology security, fleet managers, and employees work together, you can minimize unauthorized access and malicious activity in and around the connected car.