Car2Go had 75 of its vehicles stolen in a single day in Chicago earlier this year, later recovering most of the vehicles – though many had been stripped. This worst case scenario was a huge cautionary tale for the budding car sharing industry but, as is often the case, the lessons learned were both profound and trivial.
The automotive industry is facing a reckoning over proper cyber security practices. The challenge is great as cars are such big, juicy hacking targets, with dozens of attack surfaces. The only thing saving the industry from a cyber apocalypse is the limited motivation to hack a car – other than outright theft.
That being said, the onion-like levels of automotive vulnerability are daunting and include everything from the supply chain, to dealer service bays and everything in between, including embedded wireless connections (cellular, Wi-Fi, Bluetooth, satellite), the factory floor, headquarters, call centers, secure network operating centers, and embedded sensors including LiDAR, radar and cameras.
What the Car2Go theft highlighted was the rather low-tech process of registering new customers for car sharing services. In all likelihood the protocols put in place by Car2Go did not include a credit check and, as a result, were easily tricked into creating multiple fraudulent accounts.
It is likely that this will not be the last time that a car company is undone by the simplest of security protocols. It wasn’t so long ago that one car company or the other was found to be using either simple, easy-to-guess passwords or failing to make use of multiple passwords or virtual private network technology - pretty basic stuff. Who knew cars would be hacked?
Cars – like presidential campaigns these days – are also vulnerable to social engineering of service providers – which means cyber vigilance needs to be trained in throughout the entire organization and extended to partners, suppliers and service providers. It seems strange that the industry remains so vulnerable in the midst of a surfeit of security solutions emerging onto the market.
A recently published Strategy Analytics report breaks down the applications, the suppliers, and the worst case scenarios and best practices associated with combatting vehicle vulnerability. The report also details the regional regulatory requirements and the extent of industry progress.
https://tinyurl.com/yyngqy4z - Automotive Cyber Security - 2019 Eco-system Update
Suffice it to say that much more work is yet to be done. It’s clear, though, as nearly every automotive cyber security exec worth his or her countermeasures will tell you: Cyber security is a process. This is one problem that will never be “solved.”