Car dealerships are prime targets for hackers eager to exploit weak security and access a treasure trove of financial data and gain access to third-party vendor supply chains.
According to Tuesday report posted to AT&T Cybersecurity's blog, cybercriminals are zeroing in on car dealerships considering them easy targets for a cyberattack. Attack vectors include, "outdated IT infrastructure and lacks sufficient processes in terms of protecting employee login details," according the report.
Adding to the mix of security issues is the increasingly sophisticated number of computer-based diagnostic tools used in auto repair bays and computer systems in car dealer back offices. That has adversaries revving their hacker engines ready to attack, said Theresa Lanowitz, head of cybersecurity evangelism at AT&T Business.
"Employees in a car dealership may have lax security hygiene which means it’s even easier for adversaries to launch attacks. And car dealerships have repair bays with internet connected devices. These devices, if breached, also offer an adversary a way into the network to potentially execute nefarious activities,” Lanowitz said.
Those attack surface weak spots are low-hanging fruit for attackers to easily plant malware, eavesdrop on insecure Wi-Fi connections or exploit poor password hygiene.
No such thing as cybersecurity airbags
The danger is not theoretical for dealerships or vendors connected to dealerships who could also be put at greater risk. In a separate report out this week, researcher Eaton Zveare detailed a severe vulnerability he found in the web portal of Toyota’s global supplier management network.
"I hacked Toyota’s Global Supplier Preparation Information Management System," Zveare wrote." The system in question is "a web app used by Toyota employees and their suppliers to coordinate projects, parts, surveys, purchases, and other tasks related to the global Toyota supply chain."
The research, conducted in 2022 and disclosed this week, allowed the researcher to access 14,000 corporate user accounts and confidential documents. The issue was responsibly disclosed to Toyota and the security hole was mitigated immediately.
FTC tackles dealership security and more
When SC Media looked more closely we found that auto dealers, along with mortgage brokers, realtors, and payday lenders now face stringent new cyber regulations from the Federal Trade Commission’s Safeguards Rule that once they go into effect on June 9, 2023, companies that must comply with the FTC rules could face fines of $50,000 per infraction.
The federal government extended a Dec. 9 compliance deadline six months so the affected companies could implement cybersecurity programs adhering to the Safeguards Rule. The FTC wants to ensure security and confidentiality of customer information, protect data from security hazards and guard against unauthorized access to customer information.
The FTC stipulated nine provisions including:
- Designate a “qualified individual” to oversee their information security program; this could be a full-time employee or a managed service provider.
- Develop a written risk assessment.
- Limit and monitor who can access sensitive customer information.
- Encrypt all sensitive information in transit and at rest.
- Test and monitor effectiveness of key controls, systems, and procedures.
- Train security personnel.
- Develop an incident response plan.
- Oversee service providers by taking reasonable steps to select, retain, and periodically assess their security practices.
- Implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information.
Will LaSala, Field CTO at OneSpan, which authenticates and encrypts loan processing information for auto loan and real estate transactions, said the FTC has asked the industry to more carefully monitor how transactions at these companies take place.
The FTC also want companies to better safeguard against insider threats.
“Nobody knows your networks more than your own employees,” said LaSala. “Many often don’t know that they shouldn’t pull up customer information in front of another customer. The FTC is asking companies to create an annual report on how they are securing these users. Ultimately, the FTC is saying that if anything goes wrong, it will probably end up in a fine.”