Information security news in the transport industry – August 2024

Each quarter, we select a few news stories that touch on the topic of cybersecurity in the field of automotive and transportation technology
Andrey Fadin
Transport cybersecurity product manager, KasperskyOS business development department

Each quarter, we select a few news stories that touch on the topic of cybersecurity in the field of automotive and transportation technology. These events provide a clear reflection of the current state of information security systems and practices in the transport industry, while also highlighting typical vulnerabilities. Our experts examine each case and offer recommendations on areas to focus on when building and improving information security (IS) systems.

In this issue, we:

  • Analyze how cyberattacks on automotive supply chains in the USA and Canada signal a shift in attackers’ focus.
  • Explain why a vulnerability in the OpenSSH library poses risks for automotive software developers and discuss the benefits of alternative tools.
  • Revisit the state of IT systems in the transport industry, using Southwest Airlines as an example, following the global CrowdStrike outage.

Series of cyberattacks on automotive supply chains

What happened?

A series of cyberattacks on CDK Global Corporation severely disrupted thousands of auto dealerships across North America. The attacks affected nearly 15,000 dealerships in the USA and Canada, disrupting sales, financing, and billing systems. Major auto companies, including Ford, General Motors, and Stellantis, use CDK Global systems at their dealerships. Experts believe it could take several weeks for the company to fully restore its systems.

A similar incident occurred in Florida, USA, where a hacker accessed a car dealership’s system, altering the delivery address to receive a $200,000 luxury Mercedes Benz GLS600 Maybach, and later a Rolls-Royce Cullinan worth $400,000, before disappearing without a trace.

Who is affected?

  • Service center managers of car manufacturers.
  • Service center managers responsible for carsharing.
  • Other aftermarket stakeholders.

Why did it happen?

These incidents clearly demonstrate that modern attackers are shifting their focus from hacking vehicles to targeting individual links in the supply chain. The automotive ecosystem includes numerous players: suppliers of electronic control units (ECUs), software, chipsets (Tier 1 and Tier 2 suppliers), automotive repair shops, dealers, and resellers. Vulnerabilities in third-party hardware or software create IS risks for automobiles, particularly for Tier 1 and Tier 2 suppliers, as vulnerabilities in components can become attack vectors against the entire vehicle.

Car services are also critical links in the security chain because they use diagnostic tools and keys provided by the OEM for ECU diagnostics. For example, the procedure for controlling access to sensitive ECU functions is typically implemented within a service using SID 0x27 according to ISO 14229. However, this mechanism is not sufficient for reliable and granular access control. A common issue arises when a single diagnostic access key is issued for all ECUs in a batch, creating a risk of key leakage. In such cases, intruders could potentially reflash the vehicle’s electronic units for malicious purposes.

Dealers and resellers also become important security actors because they use online services provided by car manufacturers. Vulnerabilities in their IT systems can lead to the compromise of keys and services, posing a significant risk of vehicle hijacking or illegal reflashing. Cybersecurity in the automotive industry lags significantly behind other sectors, such as finance or IT. For instance, the Auto-ISAC (Automotive Information Sharing and Analysis Center) for automotive cybersecurity was only established in 2015, much later than similar centers in other industries. By comparison, the Financial ISAC (FS-ISAC) was founded in 1999, and the ISAC for the telecommunications industry (Communications ISAC) in 2000.

What do we recommend?

It is crucial that automakers not only establish robust information security processes within their own operations but also work collaboratively to share information about cyberthreats and strengthen defenses throughout the supply chain.

Improving cybersecurity approaches for automotive industry stakeholders (OEMs, Tier 1, Tier 2) should be based on the requirements of two major standards: UN R155, which defines best practices for vehicle protection, and ISO/SAE 21434, which enables the development of cybersecurity processes from design and development to vehicle manufacturing. Kaspersky helps automakers and other transport industry players to build IS processes and develop requirements for suppliers and partners based on years of industry experience and the requirements of the aforementioned standards.

At the vehicle level, we recommend using structurally secure software that specifically addresses the challenges of automotive cybersecurity. For example, Kaspersky Automotive Secure Gateway combines the functions of a telematics control unit (TCU) and a secure gateway, and enables advanced authentication of diagnostic devices using the latest CCC DK, SID 0x29 standards.

Dangerous vulnerability in OpenSSH

What happened? 

In early July, a vulnerability was discovered in OpenSSH, a widely used toolkit for remotely controlling *nix systems, that could allow an unauthenticated attacker to execute arbitrary code and gain root privileges. This vulnerability, identified as CVE-2024-6387 and dubbed “regreSSHion,” poses significant risks.

Who is affected? 

This vulnerability is relevant to all participants in the transport industry, from manufacturing and sales to vehicle operations and maintenance.

Why is it happening? 

The OpenSSH utility suite is near ubiquitous, with some instances of its use in the transport and automotive sectors, including remote vehicle control functions. Tools such as SSH should be avoided because they are difficult to configure granularly for different services. For example, sharing the operating system command line via SSH allows any command to be executed, making it difficult to differentiate access. In popular systems like Linux, access rights are managed based on files, processes, and user accounts. This differs from access control in specific systems, such as car ECUs, where the state of the device or information about the car owner must be considered. As a result, it is difficult to establish detailed access control and restrict vehicle system actions in certain situations.

The use of such tools increases security risks as they cannot provide the necessary level of control and protection, especially in complex systems such as automotive platforms.

What do we recommend?

We recommend that automotive software developers use more structured protocols, such as MQTT, for remotely monitoring vehicles and collecting telemetry. Such protocols allow clear definition and limitation of commands and permitted operations for each system component. Access authorization should take into account the user who sent the command, the state of the vehicle, and other relevant factors.

For instance, Kaspersky Automotive Secure Gateway not only facilitates the basic functions of an MQTT broker but also seamlessly integrates various in-car electronic units, the owner’s smartphone, the car manufacturer’s cloud, and diagnostic devices into a flexible and secure service-oriented architecture with granular access control. This approach takes into account the specific domain requirements and contexts, such as telemetry and remote vehicle control, and provides a higher level of security.

CrowdStrike Update

What happened? 

A recent global outage caused by a CrowdStrike update rendered millions of computers inoperable worldwide, yet Southwest Airlines, one of the largest airlines in the United States, was unaffected. The reason is that the airline uses a very old version of Windows 3.1.

Who should be concerned? 

Automakers, as well as Tier 1 and Tier 2 suppliers.

Why did it happen? 

The transport industry often relies on outdated software, and the nature of its technology and business processes means that companies face significant challenges in upgrading. The automotive industry is no different; there are numerous legacy IT systems both within the automotive ecosystem (especially in manufacturing) and in the vehicles themselves. Over-the-air software updates for electronic units are still not fully available for many types of vehicles, and often only one or two ECUs (e.g., telematics and infotainment systems) are updated. As a result, automakers are often compelled to recall vehicles when critical flaws or vulnerabilities are discovered, rather than update them remotely.

To better understand the industry’s challenges, one need only look at historical vehicle recall data from the US National Highway Traffic Safety Administration (NHTSA). Analysis shows that the first “software” recall – where “software” was mentioned as a corrective action or description – occurred in 1994. Since then, there have been more than 1,000 software-related recalls, potentially affecting more than 70 million vehicles. While automotive software has been involved in just 5% of all recalls since 1966, that number has risen to nearly 15% of all recalls by 2023.

The industry’s cybersecurity processes remain immature, creating additional opportunities for attackers and significantly increasing the risk of cyberattacks. The Southwest Airlines situation illustrates how outdated software is sometimes used in the transport industry. In this case, using an older operating system version unexpectedly helped the company avoid the problem, but this is an exception to the rule. Typically, the more outdated the software, the more vulnerabilities it contains, as these products are often no longer supported by the vendors and many aspects of information security were not considered during their development.

What do we recommend?

In addition to information security audits and recommendations for improving processes, we also offer our clients up-to-date information on cyberthreats and incidents in the transport industry. These reports, prepared by our information security analysts, help identify existing, emerging, and potential security threats, assess risk, and respond effectively to incidents. The content and frequency of the reports are tailored to each customer’s objectives, infrastructure, and business processes.

Each quarter, we select a few news stories that touch on the topic of cybersecurity in the field of automotive and transportation technology. These events provide a clear reflection of the current state of information security systems and practices in the transport industry, while also highlighting typical vulnerabilities. Our experts examine each case and offer recommendations on areas to focus on when building and improving information security (IS) systems.

In this issue, we:

  • Analyze how cyberattacks on automotive supply chains in the USA and Canada signal a shift in attackers’ focus.
  • Explain why a vulnerability in the OpenSSH library poses risks for automotive software developers and discuss the benefits of alternative tools.
  • Revisit the state of IT systems in the transport industry, using Southwest Airlines as an example, following the global CrowdStrike outage.

Series of cyberattacks on automotive supply chains

What happened?

A series of cyberattacks on CDK Global Corporation severely disrupted thousands of auto dealerships across North America. The attacks affected nearly 15,000 dealerships in the USA and Canada, disrupting sales, financing, and billing systems. Major auto companies, including Ford, General Motors, and Stellantis, use CDK Global systems at their dealerships. Experts believe it could take several weeks for the company to fully restore its systems.

A similar incident occurred in Florida, USA, where a hacker accessed a car dealership’s system, altering the delivery address to receive a $200,000 luxury Mercedes Benz GLS600 Maybach, and later a Rolls-Royce Cullinan worth $400,000, before disappearing without a trace.

Who is affected?

  • Service center managers of car manufacturers.
  • Service center managers responsible for carsharing.
  • Other aftermarket stakeholders.

Why did it happen?

These incidents clearly demonstrate that modern attackers are shifting their focus from hacking vehicles to targeting individual links in the supply chain. The automotive ecosystem includes numerous players: suppliers of electronic control units (ECUs), software, chipsets (Tier 1 and Tier 2 suppliers), automotive repair shops, dealers, and resellers. Vulnerabilities in third-party hardware or software create IS risks for automobiles, particularly for Tier 1 and Tier 2 suppliers, as vulnerabilities in components can become attack vectors against the entire vehicle.

Car services are also critical links in the security chain because they use diagnostic tools and keys provided by the OEM for ECU diagnostics. For example, the procedure for controlling access to sensitive ECU functions is typically implemented within a service using SID 0x27 according to ISO 14229. However, this mechanism is not sufficient for reliable and granular access control. A common issue arises when a single diagnostic access key is issued for all ECUs in a batch, creating a risk of key leakage. In such cases, intruders could potentially reflash the vehicle’s electronic units for malicious purposes.

Dealers and resellers also become important security actors because they use online services provided by car manufacturers. Vulnerabilities in their IT systems can lead to the compromise of keys and services, posing a significant risk of vehicle hijacking or illegal reflashing. Cybersecurity in the automotive industry lags significantly behind other sectors, such as finance or IT. For instance, the Auto-ISAC (Automotive Information Sharing and Analysis Center) for automotive cybersecurity was only established in 2015, much later than similar centers in other industries. By comparison, the Financial ISAC (FS-ISAC) was founded in 1999, and the ISAC for the telecommunications industry (Communications ISAC) in 2000.

What do we recommend?

It is crucial that automakers not only establish robust information security processes within their own operations but also work collaboratively to share information about cyberthreats and strengthen defenses throughout the supply chain.

Improving cybersecurity approaches for automotive industry stakeholders (OEMs, Tier 1, Tier 2) should be based on the requirements of two major standards: UN R155, which defines best practices for vehicle protection, and ISO/SAE 21434, which enables the development of cybersecurity processes from design and development to vehicle manufacturing. Kaspersky helps automakers and other transport industry players to build IS processes and develop requirements for suppliers and partners based on years of industry experience and the requirements of the aforementioned standards.

At the vehicle level, we recommend using structurally secure software that specifically addresses the challenges of automotive cybersecurity. For example, Kaspersky Automotive Secure Gateway combines the functions of a telematics control unit (TCU) and a secure gateway, and enables advanced authentication of diagnostic devices using the latest CCC DK, SID 0x29 standards.

Dangerous vulnerability in OpenSSH

What happened? 

In early July, a vulnerability was discovered in OpenSSH, a widely used toolkit for remotely controlling *nix systems, that could allow an unauthenticated attacker to execute arbitrary code and gain root privileges. This vulnerability, identified as CVE-2024-6387 and dubbed “regreSSHion,” poses significant risks.

Who is affected? 

This vulnerability is relevant to all participants in the transport industry, from manufacturing and sales to vehicle operations and maintenance.

Why is it happening? 

The OpenSSH utility suite is near ubiquitous, with some instances of its use in the transport and automotive sectors, including remote vehicle control functions. Tools such as SSH should be avoided because they are difficult to configure granularly for different services. For example, sharing the operating system command line via SSH allows any command to be executed, making it difficult to differentiate access. In popular systems like Linux, access rights are managed based on files, processes, and user accounts. This differs from access control in specific systems, such as car ECUs, where the state of the device or information about the car owner must be considered. As a result, it is difficult to establish detailed access control and restrict vehicle system actions in certain situations.

The use of such tools increases security risks as they cannot provide the necessary level of control and protection, especially in complex systems such as automotive platforms.

What do we recommend?

We recommend that automotive software developers use more structured protocols, such as MQTT, for remotely monitoring vehicles and collecting telemetry. Such protocols allow clear definition and limitation of commands and permitted operations for each system component. Access authorization should take into account the user who sent the command, the state of the vehicle, and other relevant factors.

For instance, Kaspersky Automotive Secure Gateway not only facilitates the basic functions of an MQTT broker but also seamlessly integrates various in-car electronic units, the owner’s smartphone, the car manufacturer’s cloud, and diagnostic devices into a flexible and secure service-oriented architecture with granular access control. This approach takes into account the specific domain requirements and contexts, such as telemetry and remote vehicle control, and provides a higher level of security.

CrowdStrike Update

What happened? 

A recent global outage caused by a CrowdStrike update rendered millions of computers inoperable worldwide, yet Southwest Airlines, one of the largest airlines in the United States, was unaffected. The reason is that the airline uses a very old version of Windows 3.1.

Who should be concerned? 

Automakers, as well as Tier 1 and Tier 2 suppliers.

Why did it happen? 

The transport industry often relies on outdated software, and the nature of its technology and business processes means that companies face significant challenges in upgrading. The automotive industry is no different; there are numerous legacy IT systems both within the automotive ecosystem (especially in manufacturing) and in the vehicles themselves. Over-the-air software updates for electronic units are still not fully available for many types of vehicles, and often only one or two ECUs (e.g., telematics and infotainment systems) are updated. As a result, automakers are often compelled to recall vehicles when critical flaws or vulnerabilities are discovered, rather than update them remotely.

To better understand the industry’s challenges, one need only look at historical vehicle recall data from the US National Highway Traffic Safety Administration (NHTSA). Analysis shows that the first “software” recall – where “software” was mentioned as a corrective action or description – occurred in 1994. Since then, there have been more than 1,000 software-related recalls, potentially affecting more than 70 million vehicles. While automotive software has been involved in just 5% of all recalls since 1966, that number has risen to nearly 15% of all recalls by 2023.

The industry’s cybersecurity processes remain immature, creating additional opportunities for attackers and significantly increasing the risk of cyberattacks. The Southwest Airlines situation illustrates how outdated software is sometimes used in the transport industry. In this case, using an older operating system version unexpectedly helped the company avoid the problem, but this is an exception to the rule. Typically, the more outdated the software, the more vulnerabilities it contains, as these products are often no longer supported by the vendors and many aspects of information security were not considered during their development.

What do we recommend?

In addition to information security audits and recommendations for improving processes, we also offer our clients up-to-date information on cyberthreats and incidents in the transport industry. These reports, prepared by our information security analysts, help identify existing, emerging, and potential security threats, assess risk, and respond effectively to incidents. The content and frequency of the reports are tailored to each customer’s objectives, infrastructure, and business processes.