Vulnerabilities of Automotive IoT

Your Personal Information

When a car is purchased, the dealership takes a lot of very personal and confidential information from the buyer. Some information is for the purpose of registration with the local government authorities, some is for the finance company and some is for marketing purposes. Regardless of the purpose, personal information is being collected that connects the buyer to the vehicle being purchased. In this day of IoT and everything connected, information collectors and receivers must be more vigilant protecting data.

Honda Breach Exposes Customer Data

According to a report in Information Security Newspaper, a massive data breach at Honda North America recently exposed 976 million records affecting nearly 26,000 customers. These records were not password protected and were made easily available to any public internet user. The information exposed included full names, addresses, phone numbers, make and model of the vehicle, license plate numbers and records on maintenance services.

The cause of the breach is thought to be incorrect security configurations or, in other words, human error. The article states that an estimated 50% of these incidents can be avoided if staff were to implement appropriate security measures. The following actions to mitigate these security issues might be helpful:

  • Establish a regular training schedule for IT personnel on security best practices. There are many sources for data security practices including such organizations as TM Forum, US Federal Trade Commission, US GSA and many other government agencies.

  • Establish safe networking practices training for non-IT personnel.

  • Create a policy of persistent monitoring and utilize data security tools that block download of sensitive information.

  • Data security experts from the International Institute of Cyber Security (IICS) believe that preventing these misconfigurations and instituting data safety measures will significantly reduce incidents of database information exposure.

Not Your Fathers Buick

Data breaches in the automotive industry are particularly un-nerving considering the network technology being installed in new cars. A recent advertisement for Buick demonstrated how the owner can start the car, lock and unlock doors and adjust other settings remotely from a smartphone. These new conveniences are made available courtesy of the public internet. IoT is going mobile.

So here is the worst case scenario. Your vehicle can be controlled by a smartphone any time and from anywhere. All the identifying information about you and your vehicle are publicly available on the public internet. Potentially, hackers can gain control of your vehicle for a variety of nefarious purposes. Imagine being on the receiving end of a ransomware attack that shuts down your vehicle until you send bitcoin to an email address in some foreign country.

Network Monitoring and Security Tools

The measures noted above can help reduce data breaches. However, training and best practices can not completely eliminate human error. It is critical that additional measures be taken including persistent network monitoring and connecting security tools that will identify and prevent malicious attacks on networks and data bases.

There are a variety of network tools such as Next Generation Firewalls (NGFW), Intrusion Prevention Systems (IPS), Data Loss Protection (DLP), Authentication Appliances, Encryption, Antimalware, Antivirus and many others available to help protect networks from attack. These tools must be connected, however, to live links in order to see network traffic and take action when necessary.