Securing the Automotive Industry Against Data Breaches

Securing the Automotive Industry Against Data Breaches

Securing the Automotive Industry Against Data Breaches

July 5, 2022

CyberThreat Research Lab
CyberThreat Research Lab
Share:

How can automotive security prevent and mitigate the effects of data breaches? We revisit data breach cases in the automotive industry to gather insights.

Securing the Automotive Industry Against Data Breaches

What is a data breach? A data breach is an incident where information is stolen from a system without the knowledge or authorization of the system’s owner. Depending on the type of data and from whom it is stolen, a data breach can have far-reaching consequences that can affect the lives of customers and challenge the reputation of organizations regardless of their industry.

The automotive industry is no exception, having been transformed by the digital age over the years. A symbol of this transformation is the autonomous car, backed by a supply chain that has also been revolutionized. What are data breaches like in the automotive industry?

Figure 1. Data breach incidents in the automotive industry from May 2020 to June 2022

In our investigation, we reviewed published reports on data breach cases within the automotive supply chain and noted the types of data that were stolen from each case. As seen in Figure 1, customer information and company-sensitive information are the top reported breaches from the last two years. In the wrong hands, these types of data can lead to more complicated attacks like the following:

  • Stolen consumer information or any personal information can lead to individuals being directly targeted in scams or frauds. In credential stuffing, phone call fraud, and spear-phishing attacks, criminals leverage stolen data in order to target a specific person or particular groups using their own detailed information. Stolen company sensitive information and proprietary information affect companies directly. This kind of data leak might not have immediate implications, but once malicious groups have studied the information enough, they can launch unpredictable attacks.
  • Proprietary information like the source code or infrastructure architecture could allow threat actors to discover weaknesses or vulnerabilities more quickly. Because vehicles run on code and are essentially connected devices, the damage caused by exploits might be hard to calculate.
  • Stolen infrastructure architecture, on the other hand, can act like a treasure map by showing the path of the whole system and the source code used in a production vehicle.

Data breach scenarios

Early into 2022, a teen hacker gained control of more than 25 Tesla cars remotely in an experiment, exposing how important API tokens are in vehicle security. Fortunately, Tesla can revoke all tokens remotely, thus solving the problem posed by the experiment. However, this scenario presents a glimpse of what could happen should API tokens become lost or stolen. API tokens are based on their vehicle identification number (VIN) or on their hardware, and once this information is stolen, a user cannot simply replace tokens as one would with compromised passwords. Instead, the problem would need to be solved in multiple stages starting from the developmental phase.

First, the API token should not be generated based on a physical number seen on a vehicle or a VIN; rather, it must depend on either a more secure design or a more secure piece of hardware. Second, the API token should be updatable or revocable, as is the case with Tesla. Third, API tokens must follow the principle of least privilege, meaning one API token should not be used to rule all functions. This way, even if breaches do happen, one has the measures to contain them.

Data leaks from any part of the supply chain can also have cascading effects on the performance of automotive vehicles. One example is the attack on Nvidia, a major US chip and GPU manufacturer, reported in March 2022. In this attack, a cybercriminal group threatened the company with the release of driver and firmware schemas and the company’s source codes. It’s important to note that the case involved not only the breach of employee login data but also that of developer tools (proprietary data). Additionally, since this kind of major manufacturer also supplies the automotive industry with system-on-chip or GPU solutions, the safety and efficiency of automotive vehicles could still be affected by such breaches — even if cybercriminals only stole supplier data.

In scanning for data breach reports in the automotive industry, we found a total of 30 cases from the past two years.

DateBusinessData
May 18, 2020Vehicle manufacturerProprietary information
May 22, 2020Car rental servicesConsumer information
Jul 3, 2020App for bus routesConsumer information
Jan 4, 2021Car dealershipConsumer information, company-sensitive information
Jan 6, 2021Vehicle manufacturerProprietary information
Feb 13, 2021Vehicle manufacturerCompany-sensitive information
Feb 15, 2021Car rental servicesConsumer information
Mar 5, 2021Motor racing team and constructorCompany-sensitive information
Mar 10, 2021Security systems companyCompany-sensitive information
Mar 21, 2021Mobile parking appConsumer information
Mar 25, 2021Garage maintenance companyConsumer information
May 20, 2021Auto parts manufacturerConsumer information, company-sensitive information
Jun 7, 2021Vehicle manufacturerEmployee information, company-sensitive information
Jun 14, 2021Vehicle manufacturerConsumer information
Jun 24, 2021Vehicle manufacturerConsumer information
June 26, 2021Car financing companyConsumer information
Oct 22, 2021Engineering and technology companyProprietary information
Oct 25, 2021Vehicle manufacturerProprietary information
Nov 11, 2021Car leasing businessConsumer information
Nov 23, 2021Trailer makerEmployee information
Dec 11, 2021Vehicle manufacturerProprietary information
Jan 11, 2022Data logger app for a car brandConsumer information, internal credential information
Jan 25, 2022Car dealershipConsumer information
Feb 1, 2022Car dealershipConsumer information
Feb 10, 2022Car dealershipConsumer information, employee information
Feb 23, 2022Software companyInternal credential information, proprietary information
Mar 4, 2022Ferrite manufacturerEmployee information, company-sensitive information
Mar 9, 2022Car dealershipEmployee information
May 23, 2022Vehicle manufacturerConsumer information
Jun 1, 2022Fabless IC companyCompany-sensitive information, proprietary information

Table 1. List of data breach cases from May 2020 to June 2022

Security for automotive data breaches

The good news is that organizations have had years to develop defenses and protocols against breaches. Modern security solutions also do a great job in protecting valuable data from being leaked. As for the automotive industry, it can leverage existing solutions through a well-designed system architecture. However, organizations should still remember that even the best defense can't guarantee a 100% prevention rate. This is where checks during the development process play a key role.

OEMs must always assume that their source code could be leaked or dumped and recovered from their vehicle's firmware. The source code should therefore be reviewed from the development phase to solve potential problems from their roots. Focusing intelligence on property issues can also minimize the damage wrought by a data breach because solid development processing can eliminate vulnerabilities that breaches might uncover. For vulnerabilities that weren’t discovered in the development phase, secure over-the-air (OTA) updates can help mitigate them as soon as possible.

In general, as with modern cyberthreats, there is no one solution that would eliminate all possibilities of a successful breach. OEMs would do well to espouse a holistic approach to security, as suggested by the ISO/SAE 24134 standard. Indeed, both the UN Regulation No. 155 (UN R155) and the ISO/SAE 24134 highlight the need for cybersecurity throughout a vehicle’s life cycle, which starts from a product’s development phase to its end-of-life.

VicOne Solutions

Based on research on and experiences from the IT world, in-vehicle protection, multilayered security with comprehensive coverage of a connected car’s ecosystem, and a vehicle security operations center (VSOC) are essential to solutions best suited to secure connected cars. To mitigate supply chain risks specific to the automotive industry, enterprises can begin by ensuring the presence of these measures:

  • xNexus, a DR platform for VSOC, can help build awareness mechanisms and early warning for incoming attacks.
  • xCarbon (IDPS for ECUs) provides superior detection & protection in the vehicle, allowing security operations centers (SOCs) to quickly understand the nature of a potential attack.
  • xZeta allows OEMs to scan vendors' firmware on multiple levels and effectively reduces the attack surface from the beginning.
  • xScope is a penetration testing service that conducts a deep assessment of an entire vehicle to identify vulnerabilities and provide recommendations.

Leveraging over 30 years of cybersecurity experience from Trend Micro and the expertise of more than 10,000 independent researchers from Zero Day Initiative (ZDI), VicOne’s cybersecurity solutions use the latest technologies like machine learning, behavior monitoring, and detection and response to help secure connected cars.

Learn more about our solutions by visiting our homepage.

Start your journey to better automotive cybersecurity