If I would offer you an opportunity to spend $300 and make $50,000 right away with more to come and no additional expense, would you take it? What about downloading a cybersecurity hack for that much off the Dark Web and using it to steal a $50,000 car?
Such a possibility exists Etay Maor, Chief Security Officer of IntSights told me yesterday. His firm, a threat intelligence company focused on enabling enterprises to Defend Forward, released the firm’s new report, Under the Hood: Cybercriminals Exploit Automotive Industry’s Software Features. The report identifies the inherent cybersecurity risk and vulnerabilities manufacturers face as the industry matures through a radical transformation towards connectivity.
Car manufacturers offer more software features to consumers than ever before, and increasingly popular autonomous vehicles that require integrated software introduce security vulnerabilities. Widespread cloud connectivity and wireless technologies enhance vehicle functionality, safety, and reliability but expose cars to hacking exploits. In addition, the pressure to deliver products as fast as possible puts a big strain on the security capabilities of cars, manufacturing facilities, and automotive data.
The two main things that affect hackers’ motivation, regardless of their skills and knowledge are the cost effectiveness of the attack and the value of the information.
Vehicles usually have more complicated attack surfaces to penetrate compared to other options, i.e. attacks against banks or retail shops. That said, the automotive industry still has numerous attack vectors, just as any other industry: needs Phishing, credential leakages, leaked databases, open ports, and services, insider threats, brand security, and more.
Dark Web Forums
In the research, IntSights discovered online shops that sell car hacking tools that appear on the clear web and are easy to find. These online shops sell services that disconnect automobile immobilizers, as well as services that sell code grabbers and forums that give bad actors a complete tutorial on how to steal vehicles.
“The automotive manufacturing industry is wrought with issues, stemming from legacy systems that can’t be patched to the proliferation of vehicle connectivity and software as consumers demand more integration with personal devices and remote access,” said Maor. “A lack of adequate security controls and knowledge of threat vectors enables attackers to take advantage of easily acquired tools on the dark web to reap financial gain. Automakers need to have a constant pulse on dark web chatter, points of known exposure, and data for sale to mitigate risk.”
Top Vehicle Attack Vectors:
- Remote Keyless Systems
- Tire Pressure Monitoring Systems
- Software and Infotainment Applications
- GPS Spoofing
- Cellular Attacks
Other attack vectors explored include:
- Attacking Can-BUS
- Remote Attack Vectors
- Car Applications
- Physical Attack Vectors
IntSights has “the industry’s only all-in-one external threat protection platform designed to neutralize cyberattacks outside the wire.” Its cyber reconnaissance capabilities enable continuous monitoring of an enterprise’s external digital profile across the clear, deep, and dark web to identify emerging threats and orchestrate proactive response.