What is a data breach? A data breach is an incident where information is stolen from a system without the knowledge or authorization of the system’s owner. Depending on the type of data and from whom it is stolen, a data breach can have far-reaching consequences that can affect the lives of customers and challenge the reputation of organizations regardless of their industry.
The automotive industry is no exception, having been transformed by the digital age over the years. A symbol of this transformation is the autonomous car, backed by a supply chain that has also been revolutionized. What are data breaches like in the automotive industry?
Figure 1. Data breach incidents in the automotive industry from May 2020 to June 2022
In our investigation, we reviewed published reports on data breach cases within the automotive supply chain and noted the types of data that were stolen from each case. As seen in Figure 1, customer information and company-sensitive information are the top reported breaches from the last two years. In the wrong hands, these types of data can lead to more complicated attacks like the following:
- Stolen consumer information or any personal information can lead to individuals being directly targeted in scams or frauds. In credential stuffing, phone call fraud, and spear-phishing attacks, criminals leverage stolen data in order to target a specific person or particular groups using their own detailed information. Stolen company sensitive information and proprietary information affect companies directly. This kind of data leak might not have immediate implications, but once malicious groups have studied the information enough, they can launch unpredictable attacks.
- Proprietary information like the source code or infrastructure architecture could allow threat actors to discover weaknesses or vulnerabilities more quickly. Because vehicles run on code and are essentially connected devices, the damage caused by exploits might be hard to calculate.
- Stolen infrastructure architecture, on the other hand, can act like a treasure map by showing the path of the whole system and the source code used in a production vehicle.
Data breach scenarios
Early into 2022, a teen hacker gained control of more than 25 Tesla cars remotely in an experiment, exposing how important API tokens are in vehicle security. Fortunately, Tesla can revoke all tokens remotely, thus solving the problem posed by the experiment. However, this scenario presents a glimpse of what could happen should API tokens become lost or stolen. API tokens are based on their vehicle identification number (VIN) or on their hardware, and once this information is stolen, a user cannot simply replace tokens as one would with compromised passwords. Instead, the problem would need to be solved in multiple stages starting from the developmental phase.
First, the API token should not be generated based on a physical number seen on a vehicle or a VIN; rather, it must depend on either a more secure design or a more secure piece of hardware. Second, the API token should be updatable or revocable, as is the case with Tesla. Third, API tokens must follow the principle of least privilege, meaning one API token should not be used to rule all functions. This way, even if breaches do happen, one has the measures to contain them.
Data leaks from any part of the supply chain can also have cascading effects on the performance of automotive vehicles. One example is the attack on Nvidia, a major US chip and GPU manufacturer, reported in March 2022. In this attack, a cybercriminal group threatened the company with the release of driver and firmware schemas and the company’s source codes. It’s important to note that the case involved not only the breach of employee login data but also that of developer tools (proprietary data). Additionally, since this kind of major manufacturer also supplies the automotive industry with system-on-chip or GPU solutions, the safety and efficiency of automotive vehicles could still be affected by such breaches — even if cybercriminals only stole supplier data.
In scanning for data breach reports in the automotive industry, we found a total of 30 cases from the past two years.
| Date | Business | Data |
|---|---|---|
| May 18, 2020 | Vehicle manufacturer | Proprietary information |
| May 22, 2020 | Car rental services | Consumer information |
| Jul 3, 2020 | App for bus routes | Consumer information |
| Jan 4, 2021 | Car dealership | Consumer information, company-sensitive information |
| Jan 6, 2021 | Vehicle manufacturer | Proprietary information |
| Feb 13, 2021 | Vehicle manufacturer | Company-sensitive information |
| Feb 15, 2021 | Car rental services | Consumer information |
| Mar 5, 2021 | Motor racing team and constructor | Company-sensitive information |
| Mar 10, 2021 | Security systems company | Company-sensitive information |
| Mar 21, 2021 | Mobile parking app | Consumer information |
| Mar 25, 2021 | Garage maintenance company | Consumer information |
| May 20, 2021 | Auto parts manufacturer | Consumer information, company-sensitive information |
| Jun 7, 2021 | Vehicle manufacturer | Employee information, company-sensitive information |
| Jun 14, 2021 | Vehicle manufacturer | Consumer information |
| Jun 24, 2021 | Vehicle manufacturer | Consumer information |
| June 26, 2021 | Car financing company | Consumer information |
| Oct 22, 2021 | Engineering and technology company | Proprietary information |
| Oct 25, 2021 | Vehicle manufacturer | Proprietary information |
| Nov 11, 2021 | Car leasing business | Consumer information |
| Nov 23, 2021 | Trailer maker | Employee information |
| Dec 11, 2021 | Vehicle manufacturer | Proprietary information |
| Jan 11, 2022 | Data logger app for a car brand | Consumer information, internal credential information |
| Jan 25, 2022 | Car dealership | Consumer information |
| Feb 1, 2022 | Car dealership | Consumer information |
| Feb 10, 2022 | Car dealership | Consumer information, employee information |
| Feb 23, 2022 | Software company | Internal credential information, proprietary information |
| Mar 4, 2022 | Ferrite manufacturer | Employee information, company-sensitive information |
| Mar 9, 2022 | Car dealership | Employee information |
| May 23, 2022 | Vehicle manufacturer | Consumer information |
| Jun 1, 2022 | Fabless IC company | Company-sensitive information, proprietary information |
Table 1. List of data breach cases from May 2020 to June 2022
Security for automotive data breaches
The good news is that organizations have had years to develop defenses and protocols against breaches. Modern security solutions also do a great job in protecting valuable data from being leaked. As for the automotive industry, it can leverage existing solutions through a well-designed system architecture. However, organizations should still remember that even the best defense can't guarantee a 100% prevention rate. This is where checks during the development process play a key role.
OEMs must always assume that their source code could be leaked or dumped and recovered from their vehicle's firmware. The source code should therefore be reviewed from the development phase to solve potential problems from their roots. Focusing intelligence on property issues can also minimize the damage wrought by a data breach because solid development processing can eliminate vulnerabilities that breaches might uncover. For vulnerabilities that weren’t discovered in the development phase, secure over-the-air (OTA) updates can help mitigate them as soon as possible.
In general, as with modern cyberthreats, there is no one solution that would eliminate all possibilities of a successful breach. OEMs would do well to espouse a holistic approach to security, as suggested by the ISO/SAE 24134 standard. Indeed, both the UN Regulation No. 155 (UN R155) and the ISO/SAE 24134 highlight the need for cybersecurity throughout a vehicle’s life cycle, which starts from a product’s development phase to its end-of-life.
VicOne Solutions
Based on research on and experiences from the IT world, in-vehicle protection, multilayered security with comprehensive coverage of a connected car’s ecosystem, and a vehicle security operations center (VSOC) are essential to solutions best suited to secure connected cars. To mitigate supply chain risks specific to the automotive industry, enterprises can begin by ensuring the presence of these measures:
- xNexus, a DR platform for VSOC, can help build awareness mechanisms and early warning for incoming attacks.
- xCarbon (IDPS for ECUs) provides superior detection & protection in the vehicle, allowing security operations centers (SOCs) to quickly understand the nature of a potential attack.
- xZeta allows OEMs to scan vendors' firmware on multiple levels and effectively reduces the attack surface from the beginning.
- xScope is a penetration testing service that conducts a deep assessment of an entire vehicle to identify vulnerabilities and provide recommendations.
Leveraging over 30 years of cybersecurity experience from Trend Micro and the expertise of more than 10,000 independent researchers from Zero Day Initiative (ZDI), VicOne’s cybersecurity solutions use the latest technologies like machine learning, behavior monitoring, and detection and response to help secure connected cars.
Learn more about our solutions by visiting our homepage.
