A range of automakers from Acura to Toyota are plagued by security vulnerabilities within their vehicles that could allow hackers to access personally identifiable information (PII), lock owners out of their vehicles, and even take over functions like starting and stopping the vehicle's engine.
According to a team of seven security researchers, whose efforts were detailed on Web application security specialist Sam Curry's blog, vulnerabilities across automakers' internal applications and systems allowed them in a proof-of-concept hack to send commands using only the VIN (vehicle identification number), which can be seen through the windshield outside the car.
In all, the team uncovered serious security issues from automakers such as BMW, Ferrari, Ford, Volvo, and many others, across Europe, Asia, and the United States. It also found issues at suppliers and telematics companies including Spireon, which develops GPS-based vehicle tracking solutions.
A BMW Group spokesperson tells Dark Reading that IT and data security have the "highest priority" for the company and that it is continuously monitoring its system landscape for possible vulnerabilities or security threats.
The spokesperson adds that the vulnerability mentioned in the report has been known since beginning of November, and has been processed according to BMW's "security standard operating procedures," e.g., its bug-bounty program.
"The relevant addressed vulnerability issues were closed within 24 hours and we have no indication of any data leaks," the spokesperson says. "No vehicle-related IT systems were affected nor compromised. No BMW Group customers or employee accounts were compromised."
This is only the latest security concern to come to light. In March, telemetry from industrial systems security firm Dragos spotted Emotet command-and-control servers communicating with several automotive manufacturer systems. The malware is commonly used as an initial infection vector to drop ransomware.
In December, at least three mobile apps tailored to allow drivers to remotely start or unlock their vehicles were found to have security vulnerabilities that could allow unauthenticated malicious types to do the same from afar.
Automakers Slow to Recognize Growing Threat
Even though security vulnerabilities have been an issue in the industry for some time (going back to Charlie Miller and Chris Valasek's infamous 2015 Jeep hack detailed at Black Hat USA), automakers have been slow to recognize the potential severity of the developments, says Gartner automotive industry analyst Pedro Pacheco.
He explains that as automakers transition into becoming software developers, they are struggling to address all points of that development cycle — including security.
"One very simple notion is if you're not good in software, you're probably not going to be very good in making that software safe," he says. "That is guaranteed."
From his perspective, automakers are also too complacent when it comes to addressing and patching security vulnerabilities right away.
"Automakers look at this in a more reactive way than a proactive way, basically saying we'll address the small number of customers affected and solve the issue and then everything goes back to normal," he says. "That's the way of thinking for many carmakers."
As automakers develop more complex ecosystems that connect customers with application stores and connect them with their smartphones and other connected devices, the stakes are raised.
"This is the reason why cybersecurity is going to become more and more of a pressing issue," he says. "The more the vehicle takes over driving, then of course the more chances there are that this can be used against the customer and against the automaker. It hasn't happened yet, but it could very well happen in the future."
John Bambenek, principal threat hunter at Netenrich, adds another problem is that as technology evolves, car manufacturers implement it into their vehicles before the technology is truly vetted.
"Web apps have their own security concerns distinct from that path of communication," he explains. "I don’t have to own the entire communication stack. I just need to find a soft spot and researchers continue to find them. The reality is that it’s all put together with defective duct tape and bailing wire — it always has been."
He points out that the more things are put online, the more it gives opportunities for criminals.
"In this case, I’m less concerned about cybercriminals and more for stalkers and their ilk," he says. "This opens a new genre of digital harassment, which may be hard to track and harder to prosecute. That’s where I think the real risk is."
Mandating Automotive Security Through Regulations
Help is on the way, however. Pacheco points to the adoption of UN Regulation No. 155, focused on mandating standards for automotive cybersecurity, which went into power in July and will be enforced in Japan and South Korea — a total of 60 countries will ultimately enforce this regulation.
"This is a new dawn for cybersecurity in the automotive industry, because from this point on, cybersecurity in the vehicle becomes a legal requirement," he says. "This is the reason many automakers have already spent a considerable amount of money and time building up new cybersecurity management systems in accordance with this regulation."
He explains that under the regulation, every three years, the cybersecurity management system from the automaker from a particular vehicle will have to be audited by authorities to assess whether it complies to the regulation or not.
"Now we will start seeing a lot more things happening in cybersecurity than in the past, because until 2022 it was a bit more casual," he says.
He advises automakers not to wait to revise their security every three years but rather to incrementally update and improve their security software.
"They need to keep raising the bar in terms of the performance of their cybersecurity management system," Pacheco says. "This means adding the best cybersecurity technology in terms of hardware and software into the vehicle and running an advanced vehicle security operations center."
Automakers Must Change Their Approach
Pacheco explains that the industry is reaching a tipping point when it comes to cyber safety — but that improving automotive security will require a cultural shift.
"In the end, it always starts with a mindset, meaning when you have a certain threat, it must first be perceived as a threat," he says. "This is what they need to start by doing."
This could include actions as simple as running a competition amongst white hat hackers to search for any vulnerabilities they can find in this vehicle.
"Above all, automakers must be very open towards addressing [these] vulnerabilities and cybersecurity issues," Pacheco says. "Unfortunately, what happens is several automakers have a culture of hiding these issues."
He cautions the industry is approaching a point where automakers have less and less margin to maneuver to wait for the problems to happen.
"If they don't take considerable steps towards improving cybersecurity, it will hurt them a lot in the future," he says.