iso 21434

ChatGPT and automotive cybersecurity #1/2: About CSMS from ISO 21434

As promised, I played more with ChatGPT and this time I started to dig a bit into cybersecurity for automotive. Since I am working these days on CSMS (based on ISO ECE 21434 and TISAX), part of my companies consulting offer for automotive I thought maybe I check what ChatGPT things about them. Unfortunately, nothing dramatically new, a form of what a google search gives you. However, the model answered something interesting about TISAX, which usually I, as a human would probably answer.  ( No, this post is not written by ChatGPT: 🙂   )   Here it is:   Query: Tell me about CSMS from ISO 21434   ChatGPT: CSMS (Cybersecurity Management System) is a framework for managing cybersecurity within an organization, as defined in ISO 21434. ISO 21434 is an international standard for automotive cybersecurity that provides guidelines for the development and implementation of cybersecurity measures in the automotive sector. CSMS is designed to help organizations manage cybersecurity risks and protect against cyber threats. It is based on the same principles as other management systems, such as quality management or environmental management, and provides a structured approach to managing cybersecurity. The framework covers a range of cybersecurity-related activities, including:…


A brief history of software vulnerabilities in vehicles (Update 2023)

Updated in 2023: 2023: Sam Curry: Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More Kia, Honda, Infiniti, Nissan, Acura Fully remote lock, unlock, engine start, engine stop, precision locate, flash headlights, and honk vehicles using only the VIN number Fully remote account takeover and PII disclosure via VIN number (name, phone number, email address, physical address) Ability to lock users out of remotely managing their vehicle, change ownership For Kia’s specifically, we could remotely access the 360-view camera and view live images from the car Mercedes-Benz Access to hundreds of mission-critical internal applications via improperly configured SSO, including… Multiple Github instances behind SSO Company-wide internal chat tool, ability to join nearly any channel SonarQube, Jenkins, misc. build servers Internal cloud deployment services for managing AWS instances Internal Vehicle related APIs Remote Code Execution on multiple systems Memory leaks leading to employee/customer PII disclosure, account access Hyundai, Genesis Fully remote lock, unlock, engine start, engine stop, precision locate, flash headlights, and honk vehicles using only the victim email address Fully remote account takeover and PII disclosure via victim email address (name, phone number, email address, physical address) Ability to lock users out of…


%d bloggers like this: