The automotive industry is one of the largest in the world, with dozens of countries involved in the direct manufacture of vehicles or its massive supply chain. New vehicles have as many as 30,000 internal components, many of which are produced by third-party original equipment manufacturers. The industry is in the midst of a significant transformation. It’s increasingly embracing software to improve the monitoring, efficiency and safety of vehicles while transitioning from internal combustion engines to electric vehicles (EVs).
EV maker Tesla has spurred pivots from the rest of the industry. Tesla is a vehicle manufacturer, but its technology industry experience means its resulting products could almost be termed rolling software appliances. Tesla's cues have been followed by other auto manufacturers, which are making their vehicles with more complex software systems than ever. This transition means the attack surface of automakers, their suppliers and their products has rapidly expanded.
In this blog post, Intel 471 will look at how cybercrime is affecting the automotive industry. Secondly, we’ll look at recent vulnerabilities and research that shows the industry should act quickly to remedy issues.
Intel 471 has seen an increasing number of incidents affecting the automotive industry in the last two years. However, it doesn’t appear that the industry is being intentionally targeted. Rather, in line with other large industries, automotive companies are caught up in opportunistic cybercrime as the result of inadequate security practices. The results are data breaches and ransomware infections.
Much of the malicious activity starts with unauthorized access. Intel 471 has observed initial access brokers (IABs) selling access to automotive companies on cyber underground forums. In August 2022, Intel 471 saw compromised access credentials advertised for sale for two Japanese auto manufacturers. How those access credentials were procured is unknown. The following month, Intel 471 saw a threat actor offer to sell administrator-level privileges to an undisclosed system belonging to a European automaker. That access was purportedly achieved by exploiting a software vulnerability in a web application.
In other activity in the cyber underground, Intel 471 observed threat actors offering information about vulnerabilities impacting the automotive industry. One IAB advertised structured query language-injection (SQLi) vulnerabilities that would allow for data exfiltration from two Europe-based car companies. A SQLi vulnerability is a common type of flaw in web applications where a SQL database may accept malicious input, which could result in the inadvertent exposure of data. The vulnerabilities purportedly allowed for the exfiltration of databases and account credentials.
Intel 471 has also seen threat actors offer sets of data from automobile companies. Throughout 2022, threat actors advertised data sets belonging to European, Chinese and South Korean auto manufacturers. Several observed data sets were stolen from the regional subsidiaries of global manufacturers. It could be that regional subsidiaries have weaker security than their parent companies, and perhaps that’s why their data is turning up for sale. This should be a red flag for CSOs of large automotive companies. Specifically, auto manufacturers have a large number of employees that likely use remote access to company resources. This makes it critical that remote desktop protocol (RDP), virtual private network (VPN) and any other remote access software is closely managed for optimal security.
Regardless of industry vertical, ransomware is an ever-present threat, and the automotive industry is no exception. Intel 471 observed 37 ransomware attacks on businesses within the automotive industry as of mid-December 2022. Most of the entities attacked were in Europe and North America. Seven attacks were attributed to LockBit 3.0, the newest ransomware variant of the LockBit ransomware-as-a-service (RaaS) group. Five attacks were executed by the Hive group and four were executed using LockBit 2.0, an earlier LockBit variant. Other groups involved in attacks against the industry were Black Basta, Quantum, Conti and RansomEXX.
Since the production of vehicles is entwined with the output of other manufacturers in the supply chain, a ransomware attack against one player can significantly affect downstream productivity. For example, Kojima Industries Corp. is one of Toyota’s major suppliers. In March 2022, Kojima said one of its servers was infected with a virus that displayed a “threatening message,” according to Reuters. As a result, Toyota shut down production lines at 14 factories for a day, which normally would have collectively produced about 13,000 vehicles. Toyota’s systems were not directly affected, but it shows how a single cyber incident can have a broad impact.
Intel 471 assesses that the automotive industry is generally an appealing target for RaaS groups, but victims are usually selected due to their inadequate security rather than intentional targeting. The complex supply chains means a larger attack surface, and the failure of organizations to uplift their security means RaaS operators will continue to find targets within the industry.
Web AppSec is Critical
Recent research shows that coding errors in web applications threaten automotive companies' corporate networks and the privacy, safety and personal data of vehicle owners. Issues have been found in web apps that connect to vehicle customer databases or vehicles’ telematics systems. Problems have also been found in internet-connected devices for vehicles made by third-party companies. Finding such vulnerabilities can have a high impact: a vulnerability affecting a singular control system in a vehicle can expose an entire fleet to exploitation.
As an example, several vulnerabilities were discovered in 2022 in a GPS anti-theft device called the MiCODUS MV720 GPS. Research conducted by BitSight highlights how the vulnerabilities could have been exploited to shut down fleets of vehicles. The device is widely used, costs about US $20 and is designed to look inconspicuous, similar to a relay. Once installed, the device relays GPS coordinates for a vehicle’s route and can send alerts if a certain speed is exceeded or if a car leaves a pre-specified area. The device can be controlled and managed through an app or short message service (SMS) commands.
BitSight found that the device had a hard-coded password and would accept unauthenticated SMS commands. Other vulnerabilities included a cross-site scripting (XSS) flaw and an insecure direct object reference (IDOR) vulnerability. An adversary could have used the flaws to secretly track vehicles and record travel routes. The device also is capable of cutting off fuel in vehicles or otherwise abruptly stopping vehicles while operating. BitSight theorized that the security issues could have led to a ransom-type scenario, where an attacker disables a fleet of emergency vehicles until payment is made. At least 1.5 million MiCODUS devices are used worldwide, which raised alarms due to difficulties BitSight had in reporting the issues to its China-based manufacturer. The flaws were, however, eventually patched, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
The attack surface of vehicles has expanded as internet connectivity has become pervasive. One of the first academic studies of the cybersecurity risks in the automotive industry released in 2011 showed that various security weaknesses in electronic control systems could be remotely exploited by attackers. The researchers demonstrated they could remotely exploit a vehicle’s telematics unit, subsequently unlocking its doors, disabling the brakes and stopping its engine. Then in 2015, researchers showed how it was possible to remotely take over a Jeep Cherokee via its telematics unit. The telematics unit could be remotely accessed over a cellular connection. A video published by Wired showed how the vehicle could be taken over while driven down a highway.
As a result, Fiat Chrysler initiated a recall of several models of its vehicles produced between 2013 and 2015 with the affected telematics unit. The software could only be patched by physically installing an update, and the incident remains the only cybersecurity-related vehicle recall in the U.S. The findings raised broader alarm, and regulators have sought to ensure the industry is aware of cybersecurity risks. Similar to airplane safety, good cybersecurity practices are critical because interference or the takeover of software systems could theoretically lead to a crash and ultimately, loss of human life.
Although car hacking research is produced with regularity, a team of researchers that focused on the auto industry in the latter half of 2022 turned up voluminous findings that demonstrate the need for immediate remediative action. The team’s research usually started by looking for an automaker’s web-facing assets, such as login pages, application programming interfaces (APIs) and single sign-on (SSO) portals, and then looking for weaknesses. Their findings showed pervasive problems with poorly secured APIs and the presence of common types of vulnerabilities such as SQLi flaws and IDORs.
Some of their findings match those on the Open Web Application Security Project’s Top 10 list of critical risks to web applications. In some cases, the flaws led to direct control of vehicles, including remotely unlocking cars, honking horns and more. Other vulnerabilities led to the team accessing development resources, such as GitHub repositories, build servers, devops infrastructure and internal tools. For one automaker, the team achieved remote code execution inside the network and managed to get access to its corporate chat application, including its security channel.
Analysis and Recommendations
Although the targeting of the automotive industry is opportunistic at this point, the industry should take heed of signs that it may not stay that way. Intel 471 has observed threat actors selling vulnerability information as well as data stolen as the result of vulnerabilities. The recent research into automotive companies’ infrastructure suggests that there are likely more issues to be found, which could be used for data theft or be exploited by more advanced cybercriminals such as ransomware operators. The discovery of many vulnerabilities in such a short period of time means there is a potential for profit for cybercriminals, particularly if the industry comes to be viewed as a soft target. Organizations should pay close attention to API security, access control management and common web application vulnerabilities. Intel 471 suggests that automotive companies:
Closely manage access by third parties to minimize potential compromise.
Implement multi-factor authentication (MFA) to reduce the impact of stolen credentials.
Minimize the attack surface of applications.
Remove old software and ensure other software is promptly patched.
Audit privileges for user accounts to ensure only the minimum are granted to complete work.
Test SSO portals for misconfigurations.
Test web applications for SQLi flaws, IDORs and other types of common web application security flaws.
Evaluate the security of public-facing and internal APIs, particularly for ones that are connected to sensitive customer personally identifiable information (PII).
Regularly scan the organization’s attack surface, looking for insecure portals, subdomains and login panels that are often the first port of call for malicious actors.
Since many intrusions revolve around threat actors abusing legitimate accounts, there are controls organizations should use to detect abnormal activity. These include:
Analyze user login activity to detect deviations from baseline behavior, such as login location or time.
Monitor changes in web session behavior.
Scan emails for malicious attachments and links to prevent successful social engineering or phishing attacks.
Analyze network activity against a baseline to monitor for unauthorized use of network protocols.
Analyze the user login history of systems to determine which credentials may have been compromised.