As the cars we drive become smarter and incorporate digital infotainment and features such as vehicle-to-vehicle and vehicle-to-roadside communications, the attack surface widens. Carmakers have also begun to vie with one another to make it easy for drivers to use their smartphones to control some of the car’s key features, opening a whole new Pandora’s Box of potential major security threats.
Today, almost all car manufacturers offer support for Apple Carplay and Android Auto in the vehicle infotainment systems. Unlike previous automotive technologies, Android Auto and Apple Carplay let the car’s infotainment system share and read information directly with the driver’s smartphone. Once a victim’s phone becomes compromised and connected to Android Auto or Apple Carplay in their car, a threat actor can track the precise location of the victim’s vehicle, access sensitive information about the car’s activities and security codes and prevent proper operation of the car.
Several automakers have also recently announced that their infotainment systems will now run on the Android OS, giving users direct access to the Google Play Store and thereby opening a new back door for threat actors to submit a malicious app. And the Android Automotive OS is not the only smartphone OS currently under development. Chinese automakers such as BYD, NIO, and others, are also creating their own OS to allow access to an application store where visitors can download almost any app. Automakers across the world, including Tesla, BMW, and others, are increasingly migrating their important operations into apps on consumer phones.
Over the next few years, auto apps are set to become as ubiquitous as smartphone apps: Gartner predicts that while only around 1% of vehicles have an integrated Android Automotive OS, this will jump to 70% by 2028.
But smartphones themselves are notoriously vulnerable to phishing campaigns and malspams. Once a successful threat actor has gained access via a compromised smartphone to a sensitive internal unit in the vehicle such as On-Board Unit (OBU) or a Road Side Unit (RSU), there are a variety of ways to take control of a vehicle, even while still moving. For example, a threat actor or terrorist group could use a malicious OBU to cause traffic to reroute by sending messages announcing a collision alert, rerouting the victims to a predetermined and highly dangerous location.
In addition to hacking into individual vehicles, the more ambitious threat actors have now begun to attack the major automakers. Although automotive companies are not as commonly targeted as financial, retail and manufacturing organizations, the car industry has now been identified as “the next profitable sector” on criminal forums, specifically those used by ransomware groups. The automotive sector has been less vigilant and aware of cybersecurity risks and threats than other more frequently targeted sectors. It therefore represents a convenient and easy prey for those ransomware groups with the proven resources to compromise large well-defended organizations.
In recent years, threat groups, especially in the ransomware industry, now understand that compromising the right victims in the auto sector might lead to big profits, drawing the attention of the most notorious groups such as Hive, BlackCat, Snake, and of course – Lockbit3.0. In 2021, a new trend emerged in the tactics used by ransomware groups. Many began to offer employees of a potential target organization large sums of money to obtain their log-in credentials in order to gain entry to the target organization.
Now, the main focus for ransomware groups in 2022, the technique was applied to the upcoming automotive giant, Tesla as early as 2021. An employee received an offer of $1 million paid in cryptocurrency from an individual named Egor Igorevich Kriuchkov. However, Kriuchkov made a cardinal error. While most ransomware groups try to contact leading employees remotely, Kriuchkov met the Tesla employee in person. Fortunately, the Tesla employee reported the incident, leading to Kriuchkov’s arrest. Tesla was extremely fortunate that the threat actor chose an honest employee willing to turn down $ 1 million and was also foolish enough to make a personal appearance.
Rather than cheering over Kriuchkov’s arrest and Tesla’s apparent victory, all major carmakers should conduct an immediate review of their cybersecurity strategy. Given the widespread nature of insider threat, companies can no longer pretend to their customers and themselves that their cyber defenses deliver adequate protection against all forms of cyberattack. In addition to considering the latest defensive strategies such as zero-trust and XDR, carmakers must now also commit significant resources to acquiring the necessary threat intelligence to warn themselves of planned and ongoing attacks specifically directed at their organization and staffs.
Yochai Corem, chief executive officer, Cyberint