Flooring the accelerator of a secure vehicle is still a pipedream for many automakers. And the newest to join the bandwagon of data breaches due to frivolous errors was Nissan North America, when multiple code repositories became public, after the company left an exposed Git server protected with default credentials (Username: admin, Password: admin).
By Augustin Kurian
The trove contained 20 gigabytes of Git data, including data from:
- Nissan NA Mobile apps
- Nissan ASIST diagnostics tool
- Dealer Business Systems / Dealer Portal
- Internal core mobile library
- Nissan/Infiniti NCAR/ICAR services
- Client acquisition and retention tools
- Market research tools
- Vehicle logistics portal
The code was discovered by a Swiss IT consultant and developer Tillie Kottmann, who also highlighted that the data was being offered on torrent links and Telegram groups.
Following the Tweets, Nissan acknowledged the exposure and said that an investigation was underway. “Nissan conducted an immediate investigation regarding improper access to proprietary company source code,” the company said. “We take this matter seriously and are confident that no personal data from consumers, dealers or employees were accessible with this security incident. The affected system has been secured, and we are confident that there is no information in the exposed source code that would put consumers or their vehicles at risk.” Nissan also stated that it took down the Git server, though certain reports indicated otherwise.
For the most part, the entire incident was an embarrassing security failure. And it is not just the fault of Nissan. Tillie Kottmann had earlier found a vulnerability with Mercedes when he could download more than 580 Git repositories containing the source code of onboard logic units (OLUs) installed in Mercedes vans. That’s not it. Earlier this year, a data breach affected 384,319 BMW customers in the U.K. The stolen database contained over 500,000 customer records dated between 2016 and 2018, affecting U.K. owners of other car manufacturers, including Honda, Mercedes, SEAT, and Hyundai in the U.K. The exposed information included surnames, email IDs, vehicle registration numbers, residential address, dealer names, car registration information, names of dealerships.
Habitual Offence for Automakers
Most of these incidents, and several others that haven’t been mentioned here, highlight the dire straits of cybersecurity among automakers. “Carmakers have sacrificed the security of scores of modern cars for the sake of convenience. And, with other methods of car theft also rife and the number of cars being stolen on the rise, manufacturers must do more to make their cars more secure,” suggests an earlier CISO MAG report.
Several manufacturers are desensitized toward cybersecurity. What several of them fail to understand is that cybersecurity is essential in the road ahead. Cyber hacks might cost the auto industry $24 billion within five years.
According to a study by Ponemon, nearly 30% of companies in the automotive segment do not have a proper cybersecurity team to handle their technology and security infrastructure, let alone secure smart cars. The state is so dire that many do not even engage a third-party vendor to secure the software in the connected cars.
“As more connected vehicles hit the roads, software vulnerabilities are becoming accessible to malicious hackers using cellular networks, Wi-Fi, and physical connections to exploit them,” data protection research group the Ponemon Institute said in the report. “Failure to address these risks might be a costly mistake, including the impact they may have on consumer confidence, personal privacy, and brand reputation.”
The study also pointed out that nearly 63% of all vehicle manufacturers do not even test half of their software, hardware, and other technology deployed in their vehicles. The study sampled 15,900 IT security practitioners and engineers in the automotive industry.
Connected Cars: An Insider Threat
In a time where cars are predicted to generate 25 gigabytes of data per hour, enterprises may need to consider connected cars as an insider threat due to their vulnerability to data theft. Cars come with connected features to pair your personal device for several purposes like hands-free driving, access to infotainment, GPS, and maps. Pairing devices like smartphones that carry sensitive data to a car’s network may pose a serious threat. The data under threat can be personal or belong to an enterprise because of COVID-19 and several employees accessing official emails on personal devices.
And often, information security heads are oblivious to the number of cloud apps in employee’s personal devices. In fact, according to a 2017 Symantec report, when most CISO/CIOs assumed employees in their organizations use up to 40 cloud apps on their devices (smartphones, tablets, laptops), in reality, the number neared 1,000. The volume of exposed data is massive. CISOs need to be more vigilant; else, they may see a shift in the ways data breaches occur. To ensure the prevention of data theft from insider threats through connected cars, organizations can do the following:
- Train employees on safe pairing techniques of devices and cars.
- Encourage employees to charge mobile devices through cigarette lighter and not the USB.
- Encourage employees to implement various security measures like installing firewall, antivirus, and encryption software on employees’ devices.
- Company-owned devices should be issued with mobile device management (MDM) software.
- In case the device is lost, there should be a way to locate and lock the device, and if necessary, the device should be implanted with a kill switch.
About the Author
Augustin Kurian is part of the editorial team at CISO MAG and writes interviews and features.