Upstream’s AutoThreat Intelligence analyzes and circulate cyber-threat intelligence specific to the automotive sector. Here’s the latest list of the most interesting incidents – the 7 Deadly sins so to speak of the Cyber Word.
- 100 cars stolen through electronic device hack: Six members of a gang of thieves in India were arrested and accused of stealing connected vehicles by “misusing electronic devices”. After the vehicle theft, the license plate of the vehicle was replaced, and the registration number and color of the car was altered. It was suspected that the gang stole more than 100 vehicles that were then sent to be sold in another region in India.
- Permission bypass vulnerability found in vehicle infotainment OS: Researchers discovered a vulnerability in Android Auto settings which allowed permission bypass due to an unsafe Android reference token (Pendingintent). The privileges could allow a local information disclosure vulnerability, resulting in command execution privileges. The vulnerability could locally trigger without user interaction.
- Data of truck and freight companies stolen and posted: A hacking group posted data that was stolen from Manitoulin Transport, one of Canada’s largest trucking companies. The company claimed that their IT department reacted quickly to the attack, and therefore, mission-critical systems were not compromised. The affected systems were back in operation about two days after the initial attack. Throughout September and August, data of six other supply chain companies was also posted by ransomware groups, raising a concern of a connection between the cases. Other impacted companies include TFI International and Beler Holdings.
- Battery degradation prevented by CAN-message hack: To prevent Nissan Leaf’s battery degradation, a hacker developed a CAN-bridge to hack the CAN-messages between battery management and vehicle to avoid degradation. Through hacking into the CAN-messages sent to the battery management system, the hacker was able to lower the charging speed and prevent the battery from heating, a primary cause of degradation. The hacker offered the CAN-bridge and its software for sale at 450 Euro.
- Employee loses lawsuit after allegedly hacking into OEM operating system: Tesla won a legal case against one of its former employees after firing them for allegedly hacking internal data and transferring it to third parties. In its complaint, Tesla accused Martin Tripp, a former Tesla employee, of writing software to hack into Tesla’s manufacturing operating system, sharing stolen data with people outside the company, and making false claims to the media about the information he stole. Tesla claimed that Tripp’s actions cost the company $167 million in damages due to stock prices falling. This claim however was not the winning argument of the lawsuit; Tesla won the suit due to Tripp’s actions being deemed as unaligned with the Nevada Computer Crimes Law.
- Ride-hailing app fined S$10,000 for user data privacy violation: Singapore’s privacy watchdog fined ride-hailing app GrabCar S$10,000, claiming that a 2019 software update put the data of some users at risk of unauthorized access. The accusation claims that the update risked the personal data of 21,541 drivers and passengers, and included the profile pictures, names, and vehicle plate numbers related to the carpooling service GrabHitch. According to GrabCar, there was no evidence that this vulnerability was exploited.
- Thieves used jammers to steal cars in Kenya: Vehicle thieves in Kenya used jammers to steal vehicles. As drivers parked and presumably locked their vehicles with key fobs, thieves jammed the signal, and though the car’s alarm made its usual sound, the car did not lock. The police claimed that the thieves also often disabled the car’s GPS trackers with jammers that were purchased online.
Shachar Azriel is AutoThreat Product Manager &Team Lead at Upstream
“In many industries, there is growing demand for transparency in product processes and content. Companies are increasingly asked to detail the composition of their products and where they have been made. Consumers are now aware if their sneakers were made in sweatshops or if their food contains animal products. In turn, many companies have to invest heavily into finding alternatives to attract and retain their customers.
“However, when it comes to consumer electronics or the automotive industry, transparency is not always readily available. For example, consumer electronics companies and automotive OEMs may struggle to provide transparency either due to a logistical challenge (it is quite challenging to produce and manage a bill of materials for a product consisting of hundreds of thousands of parts, such as a car), or it is kept secret, as the product’s components and processes are seen as core competitive advantages where the producer or supplier simply does not want to provide the information.
“As such, a connected car could contain vulnerable hardware or software, and the consumer, whether that be the driver, or the OEM purchasing the components from a Tier-1 or 2 supplier, could not know the danger. Even if a consumer did want details of the vehicle components, tracking them would be a daunting task. Consumers simply have to trust the suppliers, car manufacturers, or regulatory bodies with issues that directly relate to their health and well-being. Often, OEMs and federal bodies do not even have access to the in-depth component data and potential threats posed by them.
The Supply Chain Black-Hole
“These concerns are inextricably related to one of the most significant challenges facing the automotive industry today – the supply chain.
“Simply put, the OEM who builds the vehicle assembles it from thousands of software and hardware modules and systems produced by Tier 1 suppliers. These thousands of components are constructed from various individual components supplied to the Tier 1s by their Tier 2s. And so the cycle goes on. Each component’s quality and safety are entrusted to the company that produces it.
“But who is overseeing the quality and safety of each company in the supply chain? The supplier producing the components could easily vary its sources according to its agenda, safety standards, or financial capability. This can lead to a scenario where an OEM and drivers are left in the dark of what is under the vehicle’s hood.
“This isn’t a theoretical issue. It is happening right now.
“In early 2021, a security researcher hacked the lcn2kai Bosch infotainment unit in a Nissan Xterra vehicle. The hacker found a vulnerability in the infotainment system; by plugging in a USB device, they could gain root shell access to the system and gain administrator access to install unauthorized software. The hacker added that Bosch’s infotainment vulnerability could also affect additional Nissan models produced after 2015, including Rogue, Sentra, Altima, Frontier, and various other commercial models.
“Upstream research then revealed that additional OEMs installed a similar Bosch infotainment in various car models, which may expose them to the same vulnerability. This begs the question, what other models or companies are impacted by this component vulnerability? Would the driver of said vehicles even know they had a vulnerable component installed in their car?
“Not every OEM tracks potential cyber vulnerabilities related to the components. Therefore there is no guarantee that the Tier 1 supplier responsible for the vulnerability replaced the model and addressed the vulnerability in tens of thousands of vehicles.
“The OEM challenge of tracking and effectively addressing component vulnerabilities grows even more significant due to the global shortage of semiconductors. Due to increasing demand and subsequent shortage of components, Tier 1 suppliers may attempt to secure new Tier 2 components more hastily, without allowing the proper time for due diligence to ensure its origins and potential vulnerabilities.”