automotive

No Image

The Automotive industry’s inadequate approach towards software (in the cars)

Introduction The automotive industry has witnessed a paradigm shift with the increasing integration of software in vehicles. Modern cars are no longer just mechanical devices with a motor, wheels and steering; they are now sophisticated machines having dozens of CPUs (called ECU), entire computers, high speed network to connect them (called CAN-bus) and relying on complex highly distributed software systems. In my opinion, the industry fails to adapt to this new reality and fully embrace the concept of cars as hardware running software has significant consequences. This may sound contradictory at first, on one side they have these complex systems, on the other side they fail to adapt to this reality. In this article, I will explore how the automotive industry is not dealing correctly with this transformation and its potential implications.   Limited Focus on Software Development and Updates Traditionally, the automotive industry has primarily focused on hardware design and manufacturing, treating software as a necessary mean to make the hardware work. This approach results in a lack of emphasis on software development practices and updates capabilities. While cars are becoming more connected and dependent on software for various functionalities, manufacturers often overlook the importance of continuous software improvements…

Read More

ChatGPT and automotive cybersecurity #2/2: TISAX certification

This is the 2nd post about Automotive Cybersecurity. Since I am working these days on CSMS (based on ISO ECE 21434 and TISAX), part of my companies consulting offer for automotive I thought maybe I check what ChatGPT things about them.   First post was about CSMS and ISO 21434 and this one is about TISAX.   Query: Tell me about challenges in TISAX certification    ChatGPT: “TISAX (Trusted Information Security Assessment Exchange) is a security assessment and certification process for automotive suppliers. The certification is used to evaluate and ensure the information security capabilities of companies in the automotive sector. There are several challenges associated with TISAX certification: Complex requirements: TISAX has extensive and complex security requirements that can be difficult to understand and implement. Companies may struggle to meet these requirements and may need help from experts to achieve certification. Resource constraints: Implementing the security measures required for TISAX certification can be resource-intensive and time-consuming. This can be especially challenging for small or medium-sized businesses. Technical difficulties: Companies may face technical challenges in implementing the necessary security controls, particularly if their existing systems are not well-suited to the TISAX requirements. Cost: The cost of TISAX certification can be…


ChatGPT and automotive cybersecurity #1/2: About CSMS from ISO 21434

As promised, I played more with ChatGPT and this time I started to dig a bit into cybersecurity for automotive. Since I am working these days on CSMS (based on ISO ECE 21434 and TISAX), part of my companies consulting offer for automotive I thought maybe I check what ChatGPT things about them. Unfortunately, nothing dramatically new, a form of what a google search gives you. However, the model answered something interesting about TISAX, which usually I, as a human would probably answer.  ( No, this post is not written by ChatGPT: 🙂   )   Here it is:   Query: Tell me about CSMS from ISO 21434   ChatGPT: CSMS (Cybersecurity Management System) is a framework for managing cybersecurity within an organization, as defined in ISO 21434. ISO 21434 is an international standard for automotive cybersecurity that provides guidelines for the development and implementation of cybersecurity measures in the automotive sector. CSMS is designed to help organizations manage cybersecurity risks and protect against cyber threats. It is based on the same principles as other management systems, such as quality management or environmental management, and provides a structured approach to managing cybersecurity. The framework covers a range of cybersecurity-related activities, including:…



A brief history of software vulnerabilities in vehicles (Update 2023)

Updated in 2023: 2023: Sam Curry: Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More Kia, Honda, Infiniti, Nissan, Acura Fully remote lock, unlock, engine start, engine stop, precision locate, flash headlights, and honk vehicles using only the VIN number Fully remote account takeover and PII disclosure via VIN number (name, phone number, email address, physical address) Ability to lock users out of remotely managing their vehicle, change ownership For Kia’s specifically, we could remotely access the 360-view camera and view live images from the car Mercedes-Benz Access to hundreds of mission-critical internal applications via improperly configured SSO, including… Multiple Github instances behind SSO Company-wide internal chat tool, ability to join nearly any channel SonarQube, Jenkins, misc. build servers Internal cloud deployment services for managing AWS instances Internal Vehicle related APIs Remote Code Execution on multiple systems Memory leaks leading to employee/customer PII disclosure, account access Hyundai, Genesis Fully remote lock, unlock, engine start, engine stop, precision locate, flash headlights, and honk vehicles using only the victim email address Fully remote account takeover and PII disclosure via victim email address (name, phone number, email address, physical address) Ability to lock users out of…


Cybersecurity Engineering in the Automotive industry

A lot is happening in the Automotive industry these days. It has to do with connectivity, autonomous driving, autonomous parking, and so on. All these have one thing in common: they are producing extremely large amounts of data which needs to be processed in the backend by very powerful computers. When we talk connectivity, we MUST talk about cybersecurity.   This is why the Automotive industry has started to take this very seriously: We have the  ISO/SAE AWI 21434 : Road Vehicles — Cybersecurity engineering which is in the preparation stage We have the European Automobile Manufacturers’ Association (ACEA) who have released the “Principles of Automobile Cybersecurity“ ACEA represents currently the 15 Europe-based car, van, truck and bus manufacturers (Source): BMW Group, DAF Trucks, Daimler, Fiat Chrysler Automobiles, Ford of Europe, Hyundai Motor Europe, Iveco, Jaguar Land Rover, Opel Group, PSA Group, Renault Group, Toyota Motor Europe, Volkswagen Group, Volvo Cars, and Volvo Group ACEA and its members have identified a set of six key principles to enhance the protection of connected and automated vehicles against cyber threats. 1. Cultivating a cybersecurity culture 2. Adopting a cybersecurity life cycle for vehicle development 3. Assessing security functions through testing phases: self-auditing & testing 4. Managing a…


Chinese Researchers Remotely Hack Tesla Model S (Update)

Security researchers from China-based tech company Tencent have identified a series of vulnerabilities that can be exploited to remotely hack an unmodified Tesla Model S while it’s parked or on the move. The researchers managed to perform various actions. While the vehicle was parked, the experts demonstrated that they could: control the sunroof, the turn signals, the position of the seats, all the displays, the door locking system. While the car was on the move, the white hat hackers showed that they could activate the windshield wipers, fold the side view mirrors, and open the trunk. They also demonstrated that a remote hacker can activate the brakes from a long distance (e.g. 12 miles, as shown in the experiment). WOW… this can be deadly!   But wait, after “several months of in-depth research” ? This means that they spent several months to search for vulnerabilities to exploit ? This is what I mean by being insistent. The most interesting part is the UPDATE. Tesla told SecurityWeek that it addressed the vulnerabilities found by Keen Lab within 10 days after learning of their existence. The company pointed out that the attacks are not “fully” remote and they are not as easy…


Car hacking again… now at high speed!

Not even a week has passed since I was writing about “Not yet worried about vehicle hacking? You should be!” and we see in the news that at Blackhat that exactly this is happening. At BlackHat USA this week, the security researchers Charlie Miller and Chris Valasek are scheduled to present their latest findings in the world of car hacking. Again ! Miller and Valasek have already made names for themselves last year with the dramatic hacking of Jeep Cherokee, a interfering with its entertainment system, engine and brakes, while it was being driven down a busy highway at 70mph. Fiat Chrysler announced back then a safety recall of 1.4 million vehicles. Now, the situation changed. “By sending carefully crafted messages on the vehicle’s internal network known as a CAN bus, they’re now able to pull off even more dangerous, unprecedented tricks like causing unintended acceleration and slamming on the car’s brakes or turning the vehicle’s steering wheel at any speed.”(Wired) Watch for yourself the movies on YouTube:   What does this mean? Thankfully, their previous work helped Chrysler create a security update to fix the flaw that gave them their earlier, remote access to the Jeep’s guts. This new hack, however, is…


Not yet worried about vehicle hacking? You should be!

  As a matter of fact, it is not only vehicles that can be hacked, actually any IoT device can be hacked. AV-Test.org published this paper about vulnerabilities in the fitness wristbands and Apple Watch, which shows how they tested and how secure the devices are. However, a hack of these IoT devices is not as dangerous as hacking a vehicle. I am not saying that they don’t matter, on the contrary. This is why I am mostly interested in vehicles: hacking can be dangerous and it is, with manufacturer’s permission at least, to improve their security.   According to the RSA presentation from Kelly Blue Book, 62% of consumers are worried that cars will be easily hacked in the future. In their corresponding report “Braking the Connected Car: The Future of Vehicle Vulnerabilities,” one in three prospective car buyers say connectivity is a big factor in their decision. Furthermore, they claim that 62% of consumers are worried that cars will be easily hacked in the future. And yet, 44% of consumers feel that the vehicle manufacturer is responsible for securing a vehicle from hacking. So much being personally accountable for our own security. This is actually no wonder – think of the…


BMW and cybersecurity

Not a month passes without seeing some major car manufacturer that has cybersecurity issues. This month we have seen made public a report from February 2016 related to BMW. The short story   The BMW ConnectedDrive Web portal was found to contain a vulnerability that could result in a compromise of registered or valid vehicle identification numbers, Vulnerability Lab warns. The security bug, affecting the BMW ConnectedDrive online service web-application, is a VIN (Vehicle Identification Number) session vulnerability, security researcher Benjamin Kunz Mejri reveals. VIN, also known as chassis number, is a unique code used in the automotive industry to identify individual vehicles. The security flaw was discovered in February this year, when the researcher also found a client-side cross site scripting vulnerability in the official BMW online service web-application. By exploiting this issue, an attacker could inject malicious script codes to the client-side of the affected module context, the researcher says. The longer story In February 2016, when the ADAC’s security researchers were able to simulate the existence of a fake phone network, which BMW cars attempted to access, allowing hackers to manipulate functions activated by a SIM card. BMW said it had taken steps to eliminate possible breaches by…


%d bloggers like this: