On the heels of an EV manufacturer’s reported data breach last December, two more automotive manufacturers (OEMs) have fallen prey to possible data breaches. In this blog entry, we look into the possible attack vector behind these events.
A quick look at the incidents
On Jan. 1, 2023, Toyota Kirloskar Motor (TKM), a joint venture between Toyota Motor Corporation and Indian conglomerate Kirloskar Group, reported that one of its service providers had sent a notification about a possible data breach. In an emailed statement, the automotive company added that this incident “might have exposed personal information of some of TKM’s customers on the internet.”
The extent of the exposure was not disclosed. In an unrelated issue, Toyota Motor’s T-Connect service potentially leaked 296,000 pieces of customer information, it said last October. Meanwhile, Volvo Cars might have been the target of another data breach, less than 18 months after it reported one.
According to reports, the leaks involve various types of data such as access to several of Volvo’s databases, continuous integration and continuous delivery (CI/CD) access tokens, Wi-Fi points and login information, employee listings, software keys, and even sensitive information on existing and future vehicle models. Notably, the attacker shared screenshots of allegedly stolen data showing details of the vehicles that the company sells to law enforcement agencies, particularly in Europe.
Possible attack vectors
While investigations are still ongoing, VicOne’s cybersecurity experts identify the following as the likely attack vectors behind these cybersecurity incidents:
- Phishing: Phishing attacks are an example social engineering where the target is contacted by email, telephone, or text message. The attacker usually poses as a colleague or a legitimate institution to lure their potential victims into disclosing sensitive data, credentials, or personally identifiable information (PII).
Attackers usually collect information on the internet about high-privilege roles like C-suite executives, after which they send fake emails masquerading as important senders (such as key customers). These emails would then direct unwitting users to malicious websites that enable malware to be downloaded to victims’ devices. Attackers can take direct control from there and impersonate legitimate users. Without two-factor authentication (2FA), attackers can easily gain access to their victims’ systems to obtain sensitive data such as, in this case, information on existing and future car models.
- Website security vulnerabilities: A website vulnerability is a software code flaw or bug, a system misconfiguration, or some other weakness in a website, a web application, or its components and processes. Web application vulnerabilities enable attackers to gain unauthorized access to systems, processes, or mission-critical assets of an organization.
For example, attackers start by researching vulnerabilities in the websites of different companies, particularly those that use content management systems (CMS) in building and managing one. Most of these user-friendly platforms are built on open-source codes that also contain many vulnerabilities of their own.
Without penetration testing, these companies are unable to detect these inherited vulnerabilities. In some cases, an attacker can exploit these vulnerabilities to break into a company’s intranet, resulting in a CI/CD system data leak. They can then inject malware or backdoors into source code. This could lead to a breach of sensitive company data or even trigger a supply-chain attack.
Data breaches, such as the ones that Toyota India and Volvo have recently fallen prey to, are not new in the automotive industry. However, the proliferation of breaches in the last two years — and especially in the past few weeks — proves that it has become one of the major incident types that OEMs and Tier 1 suppliers should stay vigilant against.
As a subsidiary of Trend Micro, VicOne leverages the cybersecurity leader’s over 30 years of industry expertise and offers the following solutions against these data breaches:
- xNexus, an extended detection and response (XDR) platform for vehicle security operations centers (VSOCs), can help build awareness mechanisms and early warning for incoming attacks.
- xCarbon, an intrusion detection and prevention system (IDPS) for electronic control units (ECUs), provides superior detection and protection in vehicles, allowing VSOCs to quickly understand the nature of a potential attack.
- xZETA allows OEMs to scan vendors’ firmware on multiple levels and effectively reduces the attack surface from the beginning.
- xScope is a penetration-testing service that conducts a deep assessment of an entire vehicle to identify vulnerabilities and provide recommendations.
To read more research on data breaches and other possible vulnerabilities in connected vehicles and learn best security practices, visit our resource center.