From Ferrari to Ford, cybersecurity bugs plague automotive safety

A range of automakers from Acura to Toyota are plagued by security vulnerabilities within their vehicles that could allow hackers to access personally identifiable information (PII), lock owners out of their vehicles, and even take over functions like starting and stopping the vehicle’s engine.

According to a team of seven security researchers, whose efforts were detailed on Web application security specialist Sam Curry’s blog, vulnerabilities across automakers’ internal applications and systems allowed them in a proof-of-concept hack to send commands using only the VIN (vehicle identification number), which can be seen through the windshield outside the car.

In all, the team uncovered serious security issues from automakers such as BMW, Ferrari, Ford, Volvo, and many others, across Europe, Asia, and the United States. It also found issues at suppliers and telematics companies including Spireon, which develops GPS-based vehicle tracking solutions.

A BMW Group spokesperson tells Dark Reading that IT and data security have the “highest priority” for the company and that it is continuously monitoring its system landscape for possible vulnerabilities or security threats.

The spokesperson adds that the vulnerability mentioned in the report has been known since beginning of November, and has been processed according to BMW’s “security standard operating procedures,” e.g., its bug-bounty program.

“The relevant addressed vulnerability issues were closed within 24 hours and we have no indication of any data leaks,” the spokesperson says. “No vehicle-related IT systems were affected nor compromised. No BMW Group customers or employee accounts were compromised.”

This is only the latest security concern to come to light. In March, telemetry from industrial systems security firm Dragos spotted Emotet command-and-control servers communicating with several automotive manufacturer systems. The malware is commonly used as an initial infection vector to drop ransomware.

In December, at least three mobile apps tailored to allow drivers to remotely start or unlock their vehicles were found to have security vulnerabilities that could allow unauthenticated malicious types to do the same from afar.

Automakers Slow to Recognize Growing Threat

Even though security vulnerabilities have been an issue in the industry for some time (going back to Charlie Miller and Chris Valasek’s infamous 2015 Jeep hack detailed at Black Hat USA), automakers have been slow to recognize the potential severity of the developments, says Gartner automotive industry analyst Pedro Pacheco.

He explains that as automakers transition into becoming software developers, they are struggling to address all points of that development cycle — including security.

“One very simple notion is if you’re not good in software, you’re probably not going to be very good in making that software safe,” he says. “That is guaranteed.”

To read the complete article, visit Dark Reading.