2016 turned out to be one of the worst years on record for data breaches. Research firm Forrester reports that nearly one billion individual customer records were breached in 2016 – that’s approximately three accounts for each U.S. citizen.
Forrester reports on five industries, and the takeaways definitely show a trend: Companies aren’t planning for all possible intrusion contingencies – whether it’s a problem of “It won’t happen to me,” a lack of budget, or complacency with outdated policy. Breaches keep happening and they’re happening in large part because of poor security planning.
With the targeted industries of breaches that are often discussed, the automobile industry does not pop to mind as a security concern, but it should. The technology within today’s cars are more advanced than ever and as automakers improve the driving experience with digital technology, they also open up new avenues for attack.
Video of Hackers Remotely Killing a Jeep on the Highway
Think back to 2015’s Black Hat convention, where famed car hackers Charlie Miller and Chris Valasek presented the results of their remote hack on the 2014 Jeep Cherokee. Basically, these security experts studied ways to hack into the car’s WIFI service, discovering the Cherokee’s Harman uConnect infotainment system’s cellular connection through Sprint left Port 6667, which allowed them access to the car’s system via their smartphones on the cellular network – from 70 miles away. Miller and Valasek were able to control the car’s steering, braking, high beams, turn signals, windshield wipers, and door locks, as well as reset the speedometer and tachometer, kill the engine, and disengage the transmission so the accelerator pedal failed.
The results of this telling hack were frightening as well as unprecedented, sending shock waves throughout the automotive industry with a recall of 1.4 million vehicles affected by the security flaw.
The security flaws within a car’s system, the security experts say, are not just an issue in this particular hack but potentially for any vehicle that has network connectivity. Miller and Valasek have spent years exploring hackable ways to exploit a vehicle’s system – cracking open dashboards of Toyotas, Fords and the like to gain control of the brakes, steering and acceleration, and went on to publish a report on the world’s most hackable vehicles.
“The most hackable cars had the most [computerized] features and were all on the same network and could all talk to each other,” says Miller, who is a security engineer at Twitter. “The least hackable ones had [fewer] features, and [the features] were segmented, so the radio couldn’t talk to the brakes.”
The Broad Attack Surface
The “attack surface” of the ever-expanding digital and connected car is broad and goes way beyond the vulnerabilities of hacking the vehicle itself. Like the industries that are often targets of data breaches, the automotive industry must consider the many angles hackers can take to break into a network. Additional threats to the automotive industry are discussed in DarkReading’s recent article, and include:
- Corporate networks: These types of threats include phishing attacks or attacks against insecure Wi-Fi and remote access connections, websites, or partner and vendor networks, and can give a cybercriminal a foothold into the entire corporate network. Once inside the network, hackers can wreak havoc in a number of ways, from gaining access to sensitive information about the car and its customer to taking control over actions within the network itself.
- Manufacturing networks: Think of attacks involving power plants, electrical grids and telecommunication networks, where the physical infrastructure is taken over by cyber thieves that have the power to shut destroy equipment and shut down entire operations. Within the auto industry, hackers can then push out malware to the cars themselves.
- Aftermarket networks: Hackers can socially engineer a breach by mailing infected dongles disguised as software upgrades, safe driving add-ons, or fleet-management tools packaged like they are from the manufacturer, tricking drivers into inserting the dongle into the car’s On Board Diagnostic port.
- Internal and External threats: Hackers publicize vulnerabilities as a means of protest or to gain power, using public fear and the market as a political tool. In a worst-case scenario, terrorists could use remote control to cause injury.
A Modern Approach to Cybersecurity
“Such a resilience-building model that unifies the security ecosystem and continuously seeks to identify possible new exploits is the best way for automakers to keep their customers safe and mitigate their own enterprise risk. Automakers must, in essence, hack themselves.”
As digital technology within vehicles continue to expand, a driver’s safety as well as their private data are at risk. So, how does the automotive industry stop the threats of being attacked?
- DarkReading’s recent article takes a closer look at what automakers should implement in order to govern cyber threats, suggesting a holistic approach to identify and reduce cyber risks.
- Eliminating silos within an organizational structure, forcing groups to work together to form a collaborative leadership across all departments and creating equal responsibility for risk.
- Instilling cybersecurity culture that practices hacking exercises, studies criminal behavior and tracks vulnerabilities to expose and build upon technology and human weaknesses.
- Creating a continuous cycle of improvement that identifies, exploits and remediates risks.
In-Car Payments – an Additional Cyberthreat
The ability for drivers to make in-car payments opens up a whole new world of opportunity – for consumers and for cyber thieves. Soon, drivers could be paying for gas, music and parking from their cars with just a swipe of a hand or fingerprint, and hackers will be looking for ways to access the card data that is associated with that hand or finger.
At the Mobile World Congress, Visa and auto maker Honda recently displayed the ability to pay for parking and gas from inside the vehicle using a number of payment methods from a visual display inside a vehicle, to payment terminals that recognize fingerprints, to NFC chips embedded in keys or within the cuff of a jacket.
Even though smartphones have the capability for NFC payments, Bill Gada, SVP of Innovation at Visa, believes drivers would put secure payment information in a car’s computer.
“People just want to conduct commerce, they don’t want to pay,” says Gada. “Having that payment data in a car would make it easier to pay for tolls, as a car quickly passes a toll gate. The same approach might apply to passing an entry point to attend a football game, paying for parking and potentially for the tickets. Additionally, that ease of payments with emerging technologies will be important in developed countries, but also in other countries that depend heavily on cash. In some emerging countries, it is dangerous to carry cash.”
Visa and other card companies are developing ways to keep in-car payment data secure, but the automotive industry will need to implement solutions that protect the driver’s data, as well their own network, from data breach attempts. Industry experts point to data encryption as a key factor in securing data.
Companies like Bluefin have blazed the trail to payment data encryption. Bluefin’s PCI-Validated Point to Point Encryption (P2PE) encrypts card data at the point of entry – at card swipe or dip, or in the future, even a fingerprint – preventing clear-text cardholder data from being present in a merchant, enterprise, or automobile’s system or network where is could be accessible in the event of a data breach.
For more information on the importance of P2PE, download Bluefin’s white paper, The Impact of PCI-Validated P2PE.