cybersecurity

automotive, ChatGPT February 7, 2023

ChatGPT and automotive cybersecurity #2/2: TISAX certification

This is the 2nd post about Automotive Cybersecurity. Since I am working these days on CSMS (based on ISO ECE 21434 and TISAX), part of my companies consulting offer for automotive I thought maybe I check what ChatGPT things about them.   First post was about CSMS and ISO 21434 and this one is about TISAX.   Query: Tell me about challenges in TISAX certification    ChatGPT: “TISAX (Trusted Information Security Assessment Exchange) is a security assessment and certification process for automotive suppliers. The certification is used to evaluate and ensure the information security capabilities of companies in the automotive sector. There are several challenges associated with TISAX certification: Complex requirements: TISAX has extensive and complex security requirements that can be difficult to understand and implement. Companies may struggle to meet these requirements and may need help from experts to achieve certification. Resource constraints: Implementing the security measures required for TISAX certification can be resource-intensive and time-consuming. This can be especially challenging for small or medium-sized businesses. Technical difficulties: Companies may face technical challenges in implementing the necessary security controls, particularly if their existing systems are not well-suited to the TISAX requirements. Cost: The cost of TISAX certification can be…

automotive, News, security April 22, 2020

A brief history of software vulnerabilities in vehicles (Update 2023)

Updated in 2023: 2023: Sam Curry: Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More Kia, Honda, Infiniti, Nissan, Acura Fully remote lock, unlock, engine start, engine stop, precision locate, flash headlights, and honk vehicles using only the VIN number Fully remote account takeover and PII disclosure via VIN number (name, phone number, email address, physical address) Ability to lock users out of remotely managing their vehicle, change ownership For Kia’s specifically, we could remotely access the 360-view camera and view live images from the car Mercedes-Benz Access to hundreds of mission-critical internal applications via improperly configured SSO, including… Multiple Github instances behind SSO Company-wide internal chat tool, ability to join nearly any channel SonarQube, Jenkins, misc. build servers Internal cloud deployment services for managing AWS instances Internal Vehicle related APIs Remote Code Execution on multiple systems Memory leaks leading to employee/customer PII disclosure, account access Hyundai, Genesis Fully remote lock, unlock, engine start, engine stop, precision locate, flash headlights, and honk vehicles using only the victim email address Fully remote account takeover and PII disclosure via victim email address (name, phone number, email address, physical address) Ability to lock users out of…

automotive, News, security October 26, 2017

Cybersecurity Engineering in the Automotive industry

A lot is happening in the Automotive industry these days. It has to do with connectivity, autonomous driving, autonomous parking, and so on. All these have one thing in common: they are producing extremely large amounts of data which needs to be processed in the backend by very powerful computers. When we talk connectivity, we MUST talk about cybersecurity.   This is why the Automotive industry has started to take this very seriously: We have the  ISO/SAE AWI 21434 : Road Vehicles — Cybersecurity engineering which is in the preparation stage We have the European Automobile Manufacturers’ Association (ACEA) who have released the “Principles of Automobile Cybersecurity“ ACEA represents currently the 15 Europe-based car, van, truck and bus manufacturers (Source): BMW Group, DAF Trucks, Daimler, Fiat Chrysler Automobiles, Ford of Europe, Hyundai Motor Europe, Iveco, Jaguar Land Rover, Opel Group, PSA Group, Renault Group, Toyota Motor Europe, Volkswagen Group, Volvo Cars, and Volvo Group ACEA and its members have identified a set of six key principles to enhance the protection of connected and automated vehicles against cyber threats. 1. Cultivating a cybersecurity culture 2. Adopting a cybersecurity life cycle for vehicle development 3. Assessing security functions through testing phases: self-auditing & testing 4. Managing a…

General, News December 5, 2016

Why most, if not all, “New Generation” endpoint security product are not self-sustained?

Fire Eye, Sentinel One, Crowdstrike, HackerOne, Cylance, Cyphort, Trustlook, Venafi, Clavister, Invincea,  Code42,  just to name a few,  are so called NG Cybersecurity startups. NG comes from “New Generation” or “Next Generation”… (Yeah, just like in StarTrek. 🙂 )   What exactly are these “NG” products and services? There is no single definition that fits them all. Here are the common features: All of them have a cloud backend. Some install an agent on each machine, some install an appliance that acts as a sniffer in the network. Some others must be installed on the default gateway where they take control of the more important entry and exit points in the network. All of them analyze events in the network and send them in a form or another for analysis to the backend Some filter just DNS traffic, some filter just web traffic, some filter everything Combinations of above are definitely the case. None of them is installing a classical AV engine to end customers (GW or End-point) My guess (not able to prove it, though) is that they have a form of classical antivirus in the backend which is used as a “second” opinion scanner. The list can be…

automotive September 28, 2016

Chinese Researchers Remotely Hack Tesla Model S (Update)

Security researchers from China-based tech company Tencent have identified a series of vulnerabilities that can be exploited to remotely hack an unmodified Tesla Model S while it’s parked or on the move. The researchers managed to perform various actions. While the vehicle was parked, the experts demonstrated that they could: control the sunroof, the turn signals, the position of the seats, all the displays, the door locking system. While the car was on the move, the white hat hackers showed that they could activate the windshield wipers, fold the side view mirrors, and open the trunk. They also demonstrated that a remote hacker can activate the brakes from a long distance (e.g. 12 miles, as shown in the experiment). WOW… this can be deadly!   But wait, after “several months of in-depth research” ? This means that they spent several months to search for vulnerabilities to exploit ? This is what I mean by being insistent. The most interesting part is the UPDATE. Tesla told SecurityWeek that it addressed the vulnerabilities found by Keen Lab within 10 days after learning of their existence. The company pointed out that the attacks are not “fully” remote and they are not as easy…

automotive, security, security breach July 11, 2016

BMW and cybersecurity

Not a month passes without seeing some major car manufacturer that has cybersecurity issues. This month we have seen made public a report from February 2016 related to BMW. The short story   The BMW ConnectedDrive Web portal was found to contain a vulnerability that could result in a compromise of registered or valid vehicle identification numbers, Vulnerability Lab warns. The security bug, affecting the BMW ConnectedDrive online service web-application, is a VIN (Vehicle Identification Number) session vulnerability, security researcher Benjamin Kunz Mejri reveals. VIN, also known as chassis number, is a unique code used in the automotive industry to identify individual vehicles. The security flaw was discovered in February this year, when the researcher also found a client-side cross site scripting vulnerability in the official BMW online service web-application. By exploiting this issue, an attacker could inject malicious script codes to the client-side of the affected module context, the researcher says. The longer story In February 2016, when the ADAC’s security researchers were able to simulate the existence of a fake phone network, which BMW cars attempted to access, allowing hackers to manipulate functions activated by a SIM card. BMW said it had taken steps to eliminate possible breaches by…

Educational, General March 21, 2016

Cybersecurity vs. Information Security (infosec)

Somebody asked me why do I have in my LinkedIn profile “IT Security Expert” and in my company website www.mustaca.com “Sorin Mustaca Cybersecurity”. In order to answer that, I need to clarify the difference between Cybersecurity and Information Security (infosec). I googled a bit because I don’t have too much time and I did find something which is closest to my opinion. See Sources for a list.   Information security (or “InfoSec”) is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical). The CIA triad of confidentiality, integrity, and availability is at the heart of information security. The members of the classic InfoSec triad — confidentiality, integrity and availability — are interchangeably referred to in the literature as security attributes, properties, security goals, fundamental aspects, information criteria, critical information characteristics and basic building blocks. There is continuous debate about extending this classic trio. Other principles such as Accountability have sometimes been proposed for addition and it has been pointed out in various sources that issues such as Non-Repudiation do not fit well within the three core concepts. Well, no…

automotive March 11, 2016

Responsibility for Vehicle Security and Driver Privacy in the Age of the Connected Car

Source: Responsibility for Vehicle Security and Driver Privacy in the Age of the Connected Car Sponsored by: Veracode, Created by IDC Author: Duncan Brown   IDC conducted in-depth interviews with leading vehicle manufacturers and automotive industry representatives, as well as 1072 drivers across the UK and Germany. These are the questions that the survey had:   What are the cybersecurity implications of the connected car? Around 30% in both countries are somewhat concerned” that such aids could be hacked and fail to operate as intended. If you then also include those who were “very concerned” and “extremely concerned” the total increases to over half (57%) in Germany and half (50%) in the UK.   Who is responsible for ensuring the applications are secure? When considering who would be liable for a vulnerability in an application downloaded by the driver, nearly a third (32%) of drivers in Germany would hold the app developer responsible while for a quarter (23%) it’s the vehicle manufacturer, and for 22% the app store where they downloaded it. While only a fifth (20%) think they themselves should be liable.   Where does product liability lie with regard to the connected car? German drivers (41%) and British drivers (51%)…

Educational, General March 8, 2016

“Cyber Security” or “Cybersecurity” ?

“Cybersecurity” and “cyber security” are getting more and more mixed usage lately, so much that they are becoming almost as ambiguous as the term “cloud” was a few years back. The challenge information security executives and professionals are faced with is knowing  ̶  as the title implies  ̶  when and why the term should be used and how it should be presented, as a single word or two. While there isn’t any recognized authority on the subject per se, there are at least some credible sources providing guidance that can help those of us in the industry to decide on “when, why and how” to use the term. Read more here   Conclusion: Cybersecurity is the right term!    

News October 5, 2015

Cyber Security is a Shared Responsibility: October is Cyber Security Month

The 3rd consecutive year, celebrating the European Cyber Security Month (ECSM) through-out October, has just been kicked-off in Brussels.     Here is the agenda: WEEK 1 Cyber Security Training for Employees WEEK 2 Creating a Culture of Cyber Security at Work WEEK 3 Code Week for All WEEK 4 Understanding Cloud Solutions for All WEEK 5 Digital Single Market for All   In the Activities page, depending of where you are, you can filter which activities to see: Germany, USA If you’re a hand-on cyber security professional, you may want to start with the Toolbox. In the awareness files you can find some nice posters like the one below:

%d bloggers like this: