Cyber Security Vulnerabilities Within the Automotive Industry

Automotive cybersecurity vulnerabilities

The automotive industry is evolving. Manufacturers are constantly expanding vehicle capabilities and increasing their connectivity. But with new technologies come new security threats. As vehicles become more advanced, so too increases the number of vulnerabilities & attack vectors that adversaries can exploit which threatens numerous sectors of the ecosystem.

There are two key areas that an attacker could target. The technology within a vehicle itself and business critical systems.

Vehicle vulnerabilities

A cyber attack on a vehicle could have catastrophic consequences, with attackers targeting areas such as:

• Vehicle safety: Ability to fully remote start & stop a vehicle’s engine.
• Vehicle security: Some vehicles now have fully remote locks which can be exploited by attackers.
• Vehicle tracking: Retrieve vehicle locations via GPS.
• Data protection of customer’s private information: The ability to fully remote account takeover via a victim’s email address. Stolen information could include full name, phone number, email address & home address.

These are the biggest vulnerabilities that a connected vehicle may face, however, these are the tip of the iceberg in terms of potential vulnerabilities.

Business system vulnerabilities

Adversaries can also target business systems bringing operations to a  complete stop. Many businesses have been forced to completely shut down their network causing huge disruption to services. The most prevalent types of attacks on the automotive industry include but are not limited to:

• Ransomware: An attacker implements malware that encrypts your sensitive data. They will then demand a sum of money to restore access, usually with a time-sensitive threat to leak the stolen data.
• Data breaches: A security violation which includes an attacker gaining unauthorised access to sensitive or confidential data, can quite often tie in with ransomware. This can be very costly for an organisation if sensitive data is leaked, as financial penalties can be issued under The Data Protection Act.
• Distributed Denial of Service (DDoS): The aim of this attack is to disrupt traffic to an organisation’s online operations. It involves an attacker using resources from multiple remote locations to flood web resources denying access to legitimate users.

For a better understanding of security risks, we can examine recent real world cyber attacks which utilised some of these methods.

Real world examples

Cyber attack on Arnold Clark

The car dealership Arnold Clark recently confirmed that they were hit by a cyber attack. The company has stated that they were forced to shut down their network to protect their data which they described as a “mammoth task”. Luckily by doing this Arnold Clark has since stated that they were successful in protecting their systems, customer data and third-party partners although be it at a great cost. It has been reported that the business had still not re-established connectivity 11 days after the attack.

Luckily it seems that Arnold Clark was able to detect this attack with their security service provider and disrupt it before any data was put at risk. If it wasn’t for the Cyber Security provider Arnold Clark may have been completely unaware of this attack and the consequences could have been far more damaging.

Since the UK left the European Union, elements of GDPR (General Data Protection Regulation) have been implemented into the DPA (Data Protection Act). This means the law holds organisations responsible for keeping personal data secure. If this data is compromised, then an organisation could receive a fine of up to £17.5 million or 4 percent of annual global turnover.

Mark Lamb, CEO at HighGround and IT Pro stated “This was a very positive step and it shows that Arnold Clark already had a strong security posture in place that proactively monitored for threats so they could be identified and remediated before they caused harm. While it doesn’t look like Arnold Clark’s IT is fully back up and running, the company does appear to have protected its data and customers, which is undoubtedly the most important issue.”

Pendragon cyber attack

Not so long ago the second largest motor retailer in the UK, Pendragon, were victims of a ransomware attack in October 2022. It was confirmed that Lockbit 2.0 was the malicious software that was used in the Pendragon attack. The ransom that was demanded by the adversaries amounted to £53 million worth of bitcoin. The adversaries had reportedly stated that they would release the stolen data which they claimed to be “More than 2 million files of all categories with a total volume of 2TB” onto the dark web if their demand was not met.

Pendragon have disclosed that they had no intention of complying with the demands. Reports suggest that only about 5% of their data was actually stolen, but there are no specifics on exactly what damage was caused. It is known that Pendragon have been taking steps to ramp up its cyber security since this incident.

Reportedly this has not affected their ability to operate, and they are still able to offer their services to customers. They stated that upon discovery, they took immediate steps to contain the incident. They utilised security specialists to launch an investigation into the incident.

The growing threat to cyber security

From investigating these real world scenarios, there are common vulnerabilities the automotive industry is enduring in recent times. Omer Dembinsky, data group manager at Check Point, stated that “Cyber attacks are increasing worldwide, with 38% more cyber attacks per week on corporate networking in 2022 compared to 2021,”. This statistic is particularly worrying as it highlights how adversaries are becoming more and more prevalent in the developing world. As organisations become more network-dependent, more opportunities for adversaries arise.