Upstream’s AutoThreat Intelligence analyzes and circulate cyber-threat intelligence specific to the automotive sector. Here’s the latest list of the most interesting incidents – the 7 Deadly sins so to speak of the Cyber Word.
- 100 cars stolen through electronic device hack: Six members of a gang of thieves in India were arrested and accused of stealing connected vehicles by “misusing electronic devices”. After the vehicle theft, the license plate of the vehicle was replaced, and the registration number and color of the car was altered. It was suspected that the gang stole more than 100 vehicles that were then sent to be sold in another region in India.
- Permission bypass vulnerability found in vehicle infotainment OS: Researchers discovered a vulnerability in Android Auto settings which allowed permission bypass due to an unsafe Android reference token (Pendingintent). The privileges could allow a local information disclosure vulnerability, resulting in command execution privileges. The vulnerability could locally trigger without user interaction.
- Data of truck and freight companies stolen and posted: A hacking group posted data that was stolen from Manitoulin Transport, one of Canada’s largest trucking companies. The company claimed that their IT department reacted quickly to the attack, and therefore, mission-critical systems were not compromised. The affected systems were back in operation about two days after the initial attack. Throughout September and August, data of six other supply chain companies was also posted by ransomware groups, raising a concern of a connection between the cases. Other impacted companies include TFI International and Beler Holdings.
- Battery degradation prevented by CAN-message hack: To prevent Nissan Leaf’s battery degradation, a hacker developed a CAN-bridge to hack the CAN-messages between battery management and vehicle to avoid degradation. Through hacking into the CAN-messages sent to the battery management system, the hacker was able to lower the charging speed and prevent the battery from heating, a primary cause of degradation. The hacker offered the CAN-bridge and its software for sale at 450 Euro.
- Employee loses lawsuit after allegedly hacking into OEM operating system: Tesla won a legal case against one of its former employees after firing them for allegedly hacking internal data and transferring it to third parties. In its complaint, Tesla accused Martin Tripp, a former Tesla employee, of writing software to hack into Tesla’s manufacturing operating system, sharing stolen data with people outside the company, and making false claims to the media about the information he stole. Tesla claimed that Tripp’s actions cost the company $167 million in damages due to stock prices falling. This claim however was not the winning argument of the lawsuit; Tesla won the suit due to Tripp’s actions being deemed as unaligned with the Nevada Computer Crimes Law.
- Ride-hailing app fined S$10,000 for user data privacy violation: Singapore’s privacy watchdog fined ride-hailing app GrabCar S$10,000, claiming that a 2019 software update put the data of some users at risk of unauthorized access. The accusation claims that the update risked the personal data of 21,541 drivers and passengers, and included the profile pictures, names, and vehicle plate numbers related to the carpooling service GrabHitch. According to GrabCar, there was no evidence that this vulnerability was exploited.
- Thieves used jammers to steal cars in Kenya: Vehicle thieves in Kenya used jammers to steal vehicles. As drivers parked and presumably locked their vehicles with key fobs, thieves jammed the signal, and though the car’s alarm made its usual sound, the car did not lock. The police claimed that the thieves also often disabled the car’s GPS trackers with jammers that were purchased online.