Attendees at the spring meeting of the National Automotive Service Task Force got a bit of intel into cyber security as FBI Special Agent Paul Schaaf sorted thru the anatomy of a hack and discussed areas of vulnerability within today’s vehicles.
“Vehicles today are rolling networks,” said Schaaf, to attendees at the NASTF meeting, held at the Loews Ventana Canyon Resort in Tucson, Arizona. Schaaf noted that today’s cars hold as much as 2.6 miles of wiring connecting systems that communicate with homes, cell phones, vehicle repair facilities, insurance companies, other vehicles and more.
The NASTF meeting took place Monday, April 30, in conjunction with Equipment and Tool Institute ToolTech Conference.
As vehicle owners demand, and OEMs deliver, more and more communication options in newer makes and models, the opportunity exists for criminals to use insecure systems to access valuable personal information and link to unprotected business data. That access could lead to a number of criminal activities, from workplace disruptions to full-on data theft.
Schaaf referenced a March 2018 article from The Register,“Auto manufacturers are asleep at the wheel when it comes to security,” which should be a red flag to the auto industry and consumers. According to that story from The Register, “Cars are getting smarter every year but their increasing computational power isn’t being backed up by good IT security practices – hacking them is child’s play. That’s the conclusion of a series of speakers at the Kaspersky Security Analyst Summit. These security researchers have demonstrated how easy it is to introduce software into vehicles to steal data, take control of vital functions, get around alarm and electronic key systems and even crash the car.”
Take, for instance, cell phones. Once a phone is plugged into a car the vehicle system can crawl the entire address book, emails lists, copy SMS messages, look into the most visited locations online in the last month. That information, if not protected, can result in easy access for criminals.
“All of this information is stored in plain text and is perfect for those interested in surveillance,” said Schaaf. This data can serve as tentacles to connect hackers to other systems, such as dealerships or service repair facilities, and even reach as far as carmaker internal business systems to create extortion opportunities and ransomware efforts.
He cited a number of reasons why companies get hacked, which included:
- Failure to check code before it’s deployed
- Leaving source codes exposed
- Failure to change default passwords or shared passwords
- Poor patching practices
- Human error in social engineering/phishing
- Poor exfiltration control
- Failure to recognize infiltration of a system.
Speaking to the NASTF crowd, which included a number of large vendors, Schaaf noted that, “A lot of companies are asking vendors, ‘What are you doing now to secure your products that are put on my network?’”
In the automotive industry, businesses large and small need to view cyber threats as real and dangerous, and worthy of attention.