On Dec. 11, 2022, the Shanghai-based electric vehicle (EV) manufacturer NIO received an email in which the sender claimed to have gotten hold of stolen data and threatened to expose it if the ransom of US$2.25 million in bitcoin was not paid. NIO then discovered that its vehicle sales and user information from before August 2021 had indeed been compromised.
According to Lu Long, NIO’s chief information security scientist and head of the information security committee, data generated from NIO’s vehicles while on the road was not part of the leak. However, the hacker group potentially behind or involved in the attack also posted about the incident. The group’s post showed that leaked information included 22,800 NIO employee data, 39,900 owner identification data, 650,000 user address data, and other data that included user loan information.
NIO reported the incident to regulators and worked with authorities as soon as it discovered the breach. It also issued a statement on its community app to inform its users about the breach and created both a help hotline and an email address to cater to user queries about the incident.
Data breaches and the automotive industry
This is far from the first time that a data breach incident has taken place in the automotive industry. In VicOne’s 2022 automotive cybersecurity report, we observe that data breach is the second most common type of incident faced by the automotive industry, just behind ransomware.
Indeed, this year different companies and varying parts of the automotive supply chain experienced data breaches. In October, Toyota disclosed a data-breach incident in which its source code was leaked by accident. In April, General Motors suffered a credential-stuffing attack, in which cybercriminals stole account credentials to further their breach into the system. Previously, in 2021, companies such as Ford and Volkswagen saw major incidents that exposed their customer data. The list goes on to include not just manufacturers but also suppliers and dealerships.
It’s important to consider that data theft has also been a facet of other forms of cyberattacks, particularly ransomware. In the automotive industry, the tire manufacturer Continental had its data stolen as part of a LockBit ransomware attack. Given global authorities’ hard crackdown on ransomware groups, it’s possible that groups like LockBit will begin to shift their business in the near future, forgoing data encryption to double down on data extortion, according to Trend Micro’s security predictions for 2023.
If this comes to pass, data breaches will happen more often in the automotive industry. We’ve reviewed published reports on data-breach cases in the industry and found the following common attack scenarios:
- Threats from mobile devices: When a user installs a malicious app on their mobile device, the device is rooted. The attacker behind the app would then be able to redirect data to a rogue access point, record personal data, or even remotely control the user’s connected vehicle.
- Threats from the in-vehicle infotainment (IVI) system: Like mobile devices, IVI systems could also be attacked through malicious third-party apps, resulting in data breaches. Browser vulnerabilities could also lead to attacks and data breaches, as demonstrated in the Tesla hack at Pwn2Own 2022.
The impact of data breaches and how to secure vehicles against them
Data breaches could have unpredictable consequences depending on the type of data stolen. Data breaches not only incur monetary losses for companies but also damage their brand reputation. Because data breaches have become a constant threat not just in the automotive industry, more research and insights have been made on the topic that can help users and automotive manufacturers (OEMs) alike.
Users can do their part by becoming more vigilant about where and how they share their data. Here are a few tips users can consider to protect their data within the car ecosystem:
- Know the relevance of privacy policies. While data collection can be beneficial to users, such as when insurance companies analyze vehicle data to ascertain the precise premiums, it can also come with risks. Users should therefore pay attention to the terms and conditions presented to them whenever they are asked to share their data.
- Be wary of free services and apps. Often, malicious apps masquerade as free and useful tools. Upon installation on mobile phones, however, they root the devices and steal data. Users should therefore avoid downloading free apps from unknown sources.
- Look for official certification. As IVI systems gradually become more convenient and user-friendly, they also expand attackers’ options for accessing cars. As mentioned earlier, most reported incidents of data breach started from malicious apps and browser vulnerabilities. Attackers could steal data via malicious apps or modify the IVI firmware to make persistent attacks and allow malicious frames to be injected into a vehicle’s internal network connection. To minimize this risk, users should download apps only from official marketplaces.
OEMs can take the following security measures into consideration as they continue to build strategies against data breaches:
- Plan security for the rise of open-source vulnerabilities. To speed up development time, more open-source libraries will likely be used in the future. However, even when created and maintained by trusted communities of developers, these open-source libraries could still pose a range of security risks. For example, vulnerabilities have been discovered in OpenSSL, SQLite, and other open-source software. As a result, attackers could exploit vulnerabilities for intrusion and stealing sensitive business data, such as E/E schemas or customer names.
VicOne’s xzeta can help OEMs uncover known and unknown vulnerabilities during the development phase. Using xZETA’s automotive-grade virtual analyzer, OEMs can monitor suspicious behavior to detect potential malware and backdoors in their software.
- Ensure industry-wide security. In addition to the security of the connected car itself, the IT security of back-end servers (such as the OEM service server or CRM), the operational technology (OT), and the industrial control systems (ICSs) of the car factory also need equal attention.
- Operate vehicle security operation centers (VSOCs) independently. It’s more secure to separate a VSOC from an enterprise SOC. OEMs can work with a security company or a managed service provider to help them run the VSOC and help protect sensitive data. Not only does this setup protect data from threats, but it also allows experienced cybersecurity experts to extract signatures from the attack data and turn them into rules to detect similar threats when they occur, giving an added layer of protection.
Leveraging over 30 years of cybersecurity experience from Trend Micro and the expertise of more than 10,000 independent researchers from Zero Day Initiative (ZDI), VicOne’s cybersecurity solutions use the latest technologies like behavior monitoring and detection and response to help secure connected cars.
Learn more about our solutions by visiting our homepage.