According to a new FBI warning, hackers are now targeting the U.S. automotive industry. In a Private Industry Notification (PIN) sent out to private sector partners, the FBI’s Cyber Division warned that malicious cyber actors have been active since late 2018. They appear to be stepping up their activities to include ransomware infections, data breaches, phishing attacks, and corporate espionage activities. In an era of Internet-connected vehicles and autonomous, self-driving cars, these hackers have more opportunities than ever before to wreak havoc within the automotive industry.
Types of cyber attacks against automotive industry
The FBI warning, which was obtained by media outlet CNN, offered both a high-level view of the types of cyber threats facing the automotive industry, as well as a specific look at the types of attacks that have been carried out over the past 12 months. While the FBI warning did not name any specific cyber actors responsible for these attacks, it did note that the U.S. automotive industry has become an attractive target for both nation-states and cybercriminals. This is due primarily to the vast amount of data that is available within enterprise computer networks.
Javvad Malik, Security Awareness Advocate at KnowBe4, comments on the new cyber threat landscape for the automotive industry: “Aside from something with criminals attacking companies for financial gain, there are state-sponsored and other groups engaged in espionage against specific industries and the automotive industry is no exception.”
As the FBI warning points out, the most common type of attack being carried out against the U.S. automotive industry is the so-called “brute force” attack on computer networks. An example of this attack would be a credential stuffing attack, in which rogue hackers get their hands on a vast database of stolen username/password combinations, and then go about trying each and every one of these combinations on automotive computer networks. In one attack detailed by the FBI warning, hackers carried out a brute force attack on an employee login page.
A second type of attack, says the FBI warning, is a phishing attack carried out via email. In this attack scenario, employees of large companies within the automotive industry are sent emails with malicious attachments. When employees open these emails and click on a link or an attachment, malicious code is inserted on the user’s computer. This potentially enables hackers to roam unchecked through a computer network, looking for sensitive data. A more advanced scheme is a business email compromise (BEC) attack in which hackers gain access to employee email accounts. Once they have done so, they can either send out emails from top executives or set up mailbox rules so that employee email accounts forward all messages that include sensitive information (such as updates about new payments or transactions).
A third type of attack, according to the FBI warning, is the ransomware attack. This attack, once rare, is becoming more and more common. In 2017, for example, Honda Motor Company suffered a major WannaCry ransomware attack. In a typical ransomware attack, hackers gain access to a database or computer network and deny access to it unless a large ransom is paid (usually in a cryptocurrency such as Bitcoin). If the ransom is not paid, hackers simply erase all data or throw away the encryption key used to decrypt the data. But, in at least one attack detailed by the FBI warning, hackers did not provide access to the decryption key even after the ransom was paid – highlighting the risks of dealing with rogue adversaries, many of them based in foreign countries.
Elad Shapira, Head of Research at Panorays, comments on the new wave of attacks within the automotive industry: “Hackers target anyone who is connected to the internet and disrupt companies by using methods like ransomware and phishing to monetize on sensitive business information. The automotive industry is unfortunately no exception to these criminal activities, so it’s not surprising to hear that they are being targeted for cyber attacks like everyone else. Like enterprises across all industries, the automotive industry must put in place cybersecurity processes and procedures to guard against such attacks. In particular, when an enterprise shares data or partners with other organizations, it needs to be aware not only of the risk directly posed to its systems, but the risk to its partners’ systems as well.”
Future risks with connected cars and autonomous vehicles
Taking a forward-looking approach, the new FBI warning highlighted a few of the risks facing companies in the automotive industry as a result of rapid technological advances in Internet-connected vehicles and autonomous, self-driving cars. The data collected by Internet-connected cars is growing, and that is leading to a wide range of cyber threats previously unknown and unimagined. The vast amount of data collected by connected vehicles and autonomous cars is a huge risk.
Rogue nation-states may be looking to steal corporate intellectual property, and they may also be looking to access all the data held within enterprise computer networks. And, of course, there is always the possibility that terrorist hacker groups might view autonomous cars as a potential “soft target” for a disruptive attack on the U.S. transportation grid.
With autonomous cars, the attack surface for hackers becomes even wider, with many more unprotected access points. By attacking Internet-connected cars from a specific auto manufacturer, for example, hackers might be able to derive back-door access to the enterprise computer networks of a major company. As a result, connected vehicles become a highly valued target. Warnings of hacker attacks on connected cars date back to 2016, when both the FBI and National Highway Traffic Safety Administration (NHTSA) warned of potential “car hacking” scenarios. Going forward, the automotive industry likely will face many more of these threats.
Recommendations in the new FBI warning
The new FBI warning also highlighted a few of the ways that companies within the automotive industry can update and upgrade their data security practices. Basic security measures include stronger passwords, encryption of all sensitive data, multi-factor authentication (MFA), lockout policies, frequent updates and patches to software and IT assets, and regular data backups. In addition, automotive companies can be doing a much better job of teaching employees how to spot various types of fraud (e.g. phishing scams).
Jonathan Deveaux, head of enterprise data protection at comforte AG, comments on the need for automakers to implement new data security practices: “Data security from yesterday may not protect organizations tomorrow. With more cyber attacks looming in the auto industry, companies need to deploy cyber defenses that are more effective. Unfortunately, perimeter security, stronger passwords, or even intrusion detection are still being bypassed due to sophisticated techniques and vulnerabilities. Insider attacks have already proven that no matter how much investment is spent in some of these areas, attackers may already be on the inside.”
As the FBI warning also notes, a large number of data breaches within the automotive industry target data that is left unencrypted. Thus, one basic step that companies can take to deter this threat is simply encrypting all data. This would apply both to industrial trade secrets and customer information (especially personally identifiable information).
Cyber threat landscape for automotive industry
If there is one big takeaway from the FBI warning, it is that there are two major types of cyber threat actors: nation-states and financially motivated actors (i.e. cybercriminals). As a result, the range of cyber threats is quite wide. In fact, cyber threats and malicious activity are growing at an exponential rate. Automotive companies need to develop proactive defensive security measures to deal with all of the risks highlighted by the FBI warning.