Black hat and White hat attacks are the difference between research-based hackings to uncover and warn companies from vulnerabilities – White hat, and those triggered by cyber-criminals looking to cause damage or reap a ransom – Black hat attacks. Black hat attacks have not only been increasing year on year, they now exceed the White hat incidents.
While White hat attacks may uncover significant vulnerabilities that should be calls for action, research-based attacks do not have malicious intent, according to Upstream Security. White hat attacks can cause financial damage or problems for a brand.
However, it’s claimed by those doing them for sales purposes, that for many companies, the warnings they receive from researchers or even technologically capable consumers are helpful to their security optimization and improvement.
A new category of incidents can be just as bad as Black hat attacks. People who find these vulnerabilities might not be intentionally malicious, in terms of data privacy, compliance and customer privacy – the consequences are arguably the same. If drivers can access the data of a previous owner of their vehicle for example, a business may be liable under GDPR regulations. If a customer’s mobile app allows them to see the payment details of the last person to rent the same vehicle, the fleet renting the car could find themselves coming under scrutiny from PCI-DSS, not to mention a potential lawsuit.
As hackers become more familiar with the components of connected vehicles, tools to attack connected vehicles or bicycles are easily found and cheap to procure. Thieves in Winnipeg used a $5 device, says Upstream Security, they bought over the internet to unlock a car using an electromagnetic pulse, stealing insurance papers that were left inside. While this hack, arguably, had limited damage, think how effectively a device like this could be used on a fleet or even for a targeted attack on valuable documents. These kinds of attacks are real-world threats which are driven by real criminals. Once they breach a network or vehicles, the result will not be a written report.
Tesla Cloud Breach – AWS Vulnerability
Complex hybrid data centers are increasingly causing security issues for Smart Mobility. In February 2018, hackers broke into a Tesla-owned Amazon cloud account and used it to ‘mine’ cryptocurrency. The breach also exposed proprietary data for the electric carmaker. The breach was possible because Tesla left credentials for an Amazon Web Services (AWS) account open to the public Internet, according to Upstream Security. The scheme potentially exposed an Amazon simple storage service, also known as an S3 bucket which held Tesla telemetry, mapping, and vehicle servicing data.
Upstream says that 21.4% of the attacks on connected vehicles are server attacks, and the majority are Black hat – launched by criminals with malicious intent. The term ‘server’ covers many incidents, including Telematics command and control servers, Smart Mobility application services and breached web servers such as websites of automakers.
It also covers databases that hold vehicle, customer, code and driver data. This information could be held by a 3rd party public cloud vendor, or on a private cloud. These attacks are remote, and long-range, meaning attackers do not need to be in any kind of close proximity to the car to access data.
One attack on Porsche Japan illustrates the gravity of this threat, and how wide the impact of a single hack can be. In February 2018, the email addresses of thousands of Porsche Japan customers were compromised after a cyber-attack on a contractor’s data servers. The personal information of over 28,700 Porsche customers in Japan were exposed.
In many privacy cases, it can be difficult for stakeholders to even recognize that these breaches are happening. In September 2017, after an unsecured Amazon S3 server was uncovered by researchers, the SVR car tracking service admitted that a cache containing half a million records was left publicly accessible for an unknown amount of time. Email addresses, passwords, user vehicle data and IMEI numbers of GPS devices were all unprotected, as a result of weak third-party security was more than two decades out of date.
Connected car ecosystems are dynamic environments that often change and are subject to continuous updates and improvements, meaning blind spots and gaps are common. The infamous Jeep Cherokee case was implemented by security researchers, as are many other high-profile cases. This could have people believe that most attacks are White hat – and without malicious intent. However, the data say differently, in another area that cries out for effective government regulations in AutoInformed’s view.