Within just a five week span in February and March, Toyota had to publicly acknowledge two high-profile cybersecurity breaches.
The first incident took place at the company’s Australian subsidiary, with corporate IT systems taken offline as the attempted cyber attack was evaluated, but it was believed that no customer or employee data had been compromised. However, there have been some impacts to parts supply, which is subsequently delaying servicing at some dealerships.
The second breach was announced by the company's main offices in Japan, with hackers breaching IT systems and accessing data belonging to several sales subsidiaries on up to 3.1 million customers. The carmaker said there was an ongoing investigation to find out if hackers exfiltrated any of the data they had access to.
With those two high-profile incidents as a backdrop, automotive security expert from David Barzilai, Chairman & Co-Founder of Karamba Security, agreed to answer a few questions on potential implications of these and other potentially more devastating cyber hacks. Here is the edited exchange.
Q: What could this Toyota issue mean for car (vehicle if broader) functionality or data privacy?
A: Hackers are starting to realize that car manufacturers are in possession of personal and valuable data on their customers. The amount and quality of data is destined to grow as manufacturers will gain more insights into the driver and the rider experience, especially as we approach a time when cars will be capable of autonomously taking passengers from point A to point B.
Q: Any other recent significant hacks?
A: Most of the recent attacks were carried out by White Hat hackers, or ethical hackers, demonstrating to the car industry vulnerabilities in the code that are susceptible to attacks. These attacks are comprehensive in nature and lead to injecting new code and taking control of the car behavior. We’ve seen some notable hacks in recent months including Keen Security Lab’s ability to mess with Tesla autopilot’s lane-recognition tech.
Q: How often does this happen in automotive, but also in the broader transportation industry?
A: Attacks on the cloud infrastructure of automotive players were not very common until now, probably due to the correct perception that these large entities know how to protect their IT infrastructure. But as the incentive for the hackers is growing, we should assume as are the efforts to breach the customer data. There has been incredible progress with car technology in recent years, particularly in the connectivity channels, WiFi, BlueTooth and now cellular SIIM cards. Between the increase in mobility endpoints and the sheer amount of code that runs the modern car, there is a great opportunity for hackers.
Q: Where are hacks like this typically reported (only in the media), or are there other mechanisms for this like the Auto ISAC? Any in other types of transportation?
A: The automotive industry established the AutoISAC, exactly for this kind of scenario. Through the Auto ISAC we, as strategic partners, are able to share threats on data and best practices. The organization is proving to be an effective mechanism for allowing collaboration with other experts in an industry that usually is fiercely competitive.
Q: Explain the general situation related to how often breaches are reported and if they frequently go undetected?
A: Since early in this decade initial, sparse attacks like the one on OnStar become more common and significant. The one everyone knows about of course is the Jeep Cherokee attack which triggered an onslaught of activity in the automotive industry, when cybersecurity becomes not just an IT issue but also a cloud-to-car issue.
Q: What’s the current state of white vs black vs other types of hacks, and what is the extent of black?
A: In a recent industry report put out by Upstream Security, the number of black hat hackers’ attacks surpassed white hat incidents conducted by researchers for the first time. Those black hat attacks are usually simpler ones (key fob stealing your car) while the white hat hackers are challenging the car itself and attempting to assume control.
Q: I’ve heard repeatedly that there isn’t a way to stop infiltrations, but the best measure is how companies adapt and then correct for breaches. Can someone elaborate?
A: As per the NIST standardization, protection comes before detection. This is usually translated to various tools on the IT side (firewall, anti-virus protection, etc.) that block common attacks and then on top of that, a detection layer to identify the specific attack and apply remediation. For in-vehicle technologies it was difficult to establish that prevention layer since the car has limited connectivity (can't rely on constant automatic updates of malware signatures) and low compute resources. However new embedded security options have been introduced to the industry in the past three or so years, providing prevention based on runtime software integrity that shuts down both automotive attack vectors – ECUs and in-car networks – to enable end-to-end prevention of automotive cyberattacks.
Q: Anything else to add?
A: The attack on the corporate function of the automotive players is an initial testing of the water. Hackers are paying attention to the evolving mobile ecosystem and challenging the security, both in-vehicle and in the cloud. The end-to-end approach, from the cloud to the connected components in the car (ECUs) is a major investment layer that automakers are taking more seriously than ever before, especially as we get closer to the autonomous vehicle revolution.