Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Automakers. Show all posts
Starlink
Automakers Cyber Attacks data security internet-connected cars PII Security flaw Smart Cars Starlink

Subaru Starlink Security Flaw Exposes Risks of Connected Cars

 

As vehicles become increasingly connected to the internet, cybersecurity threats pose growing risks to drivers. A recent security flaw in Subaru’s Starlink system highlights the potential dangers, allowing hackers to remotely control vehicles and access sensitive data. This incident is part of a broader trend affecting the automotive industry, where weaknesses in connected car systems expose users to financial loss, privacy breaches, and safety concerns. 

Researchers found that with just a license plate number and basic owner details, attackers could exploit Subaru’s Starlink system to start or stop the car, lock or unlock doors, and track real-time locations. More alarmingly, hackers could extract personally identifiable information (PII), including billing details, emergency contacts, and historical location data accurate within five meters. The vulnerability stemmed from weak security in the Starlink admin portal, including an insecure password reset API and insufficient protection against two-factor authentication (2FA) bypass. 

Subaru quickly patched the issue within 24 hours of its discovery, but the incident underscores the risks associated with connected vehicles. This is not an isolated case. Other automakers have faced similar security lapses, such as a flaw in Kia’s dealer portal that allowed hackers to track and steal vehicles. Common security issues in connected car systems include weak authentication, improper encryption, centralized storage of sensitive data, and vulnerabilities in third-party integrations. Delayed responses from automakers further exacerbate these risks, leaving vehicles exposed for extended periods. 

Beyond direct system hacks, connected cars face a range of cybersecurity threats. Attackers could remotely hijack vehicle controls, steal onboard financial and personal data, or even deploy ransomware to disable vehicles. GPS spoofing could mislead drivers or facilitate vehicle theft, while compromised infotainment systems may leak personal details or spread malware. While automakers must strengthen security measures, consumers can take steps to protect themselves. Regularly updating vehicle firmware and connected apps can help prevent exploits. 

Using multi-factor authentication (MFA) for connected car accounts and avoiding weak passwords add an extra layer of security. Limiting the amount of personal data linked to vehicle systems reduces exposure. Disabling unnecessary connectivity features, such as remote start or location tracking, also minimizes risk. Additional precautions include avoiding public Wi-Fi for accessing connected car systems, using a virtual private network (VPN) when necessary, and carefully vetting third-party apps before granting permissions. Traditional security tools like steering wheel locks and GPS trackers remain valuable backup measures against cyber threats. 

As connected cars become more common, cybersecurity will play a crucial role in vehicle safety. Automakers must prioritize security by implementing robust encryption, strong authentication, and rapid vulnerability response. At the same time, consumers should stay informed and take proactive steps to safeguard their vehicles and personal data from evolving digital threats.
Read more »
Security Breach
Automakers Cyber Attacks Data Leak Ransomware Gang Security Breach

Toyota Acknowledges Security Breach After Medusa Ransomware Threatens to Leak Data

 

Toyota Financial Services (TFS) announced that unauthorised access was detected on some of its systems in Europe and Africa after the Medusa ransomware claimed responsibility for the attack. 

Toyota Financial Services, a subsidiary of Toyota Motor Corporation, is a global entity that provides auto financing to customers in 90% of the markets where Toyota sells its vehicles. 

The Medusa ransomware gang added TFS to its data leak site on the dark web earlier this week, demanding $8,000,000 to delete data allegedly stolen from the Japanese company. Toyota was given ten days by the threat actors to respond, with the option to extend for an additional $10,000 per day. 

Toyota Finance did not confirm whether data was taken in the attack, but the threat actors say they have files exfiltrated and threaten to release data if the ransom is not paid.

The hackers published sample data, such as spreadsheets, purchase invoices, agreements, passport scans, financial performance reports, internal organisation charts, hashed account passwords, cleartext user IDs and passwords, and more, as proof of the intrusion. 

The file tree structure of all the data that Medusa claims to have taken from Toyota's systems is also included in a.TXT file that they supply. The majority of the documents are written in German, suggesting that the hackers were able to gain access to the systems supporting Toyota's activities in Central Europe.

The Japanese automaker was contacted by BleepingComputer for a comment regarding the leaked data, and a company representative gave the following statement: 

“Toyota Financial Services Europe & Africa recently identified unauthorized activity on systems in a limited number of its locations. We took certain systems offline to investigate this activity and to reduce risk and have also begun working with law enforcement. As of now, this incident is limited to Toyota Financial Services Europe & Africa.” 

The spokesperson informed us that most countries are currently in the process of bringing their systems back online. This information pertains to the status of the affected systems and when they are expected to resume regular operations.

One more breach of Citrix Bleed?

Security analyst Kevin Beaumont brought attention to the fact that the company's German office had an internet-exposed Citrix Gateway endpoint that had not been updated since August 2023, making it susceptible to the critical Citrix Bleed (CVE-2023-4966) security vulnerability earlier today, in response to Medusa's revelation that TFS was their victim. 

It was confirmed a few days ago that the hackers behind the Lockbit ransomware were breaching the Industrial and Commercial Bank of China (ICBC), DP World, Allen & Overy, and Boeing by means of publicly accessible Citrix Bleed exploits.

It's likely that added ransomware groups have begun to utilise Citrix Bleed, capitalising on the extensive attack surface that is believed to encompass thousands of endpoints.
Read more »
User Security
Automakers Car manufacturers Data Breach Data Leak Privacy Breach User Security

Automakers can Exploit Your Private Data However They Want

 

It turns out that the answer to the question of which devices have the worst user privacy policies may be waiting for you outside. The Mozilla Foundation said in a report released on Wednesday that cars are "the official worst category of products for privacy" it has ever analysed. 

The global nonprofit discovered that 84% of the reviewed automakers shared user data with third parties, giving users little (if any) control over their personal information. 

The nonprofit organisation's minimum privacy criteria were not met by any of the 25 automakers analysed for the report, including Ford, Toyota, Volkswagen, BMW, and Tesla, which was also discovered to be collecting more personal information from customers than necessary. 

The data that is gathered ranges from personal information, such as medical information, to information about how drivers use the vehicle itself, including how fast they drive, where they travel, and even what music they are listening to.

Both Nissan and Kia are known to permit the gathering of data about a user's sexual life. In comparison, Mozilla claims that 37% of mental health applications (which are also known for having bad data privacy practices) had superior practices for collecting and using private data. 

According to the report, 84 percent of the evaluated car brands share users' personal information with service providers, data brokers, and perhaps dubious companies, with 76 percent claiming the right to sell such information. 56 percent of users are willing to provide information upon request to the government and/or law enforcement. 

With flags in every privacy category, Tesla received the lowest overall brand score in the survey and did so just twice. Following a number of collisions and fatalities, Tesla's AI-powered autopilot was criticised as "untrustworthy."

In addition to the research, Mozilla also released a breakdown outlining how automakers collect and share user data. This can range from basic information like the user's name, address, phone number, and email address to more private information like images, calendar entries, and even specifics like the driver's race, genetic makeup, and immigration status.

Mozilla claims it was unable to confirm whether any of the automakers could adhere to the group's baseline security requirements for data encryption and theft protection. In fact, it claims that compared to autos, dating apps and even sex toys frequently offer more thorough security information about their products. 

“While we worried that our doorbells and watches that connect to the internet might be spying on us, car brands quietly entered the data business by turning their vehicles into powerful data-gobbling machines,” stated Mozilla in the report. 

Mozilla claims to have spent more than 600 hours—three times as long per product as it typically does—researching the privacy policies of car manufacturers. The organisation claimed that because of how critical the report was, the recommendations it generally gives to assist clients protect their personal data feel like "tiny drops in a massive bucket." 

Instead, the Mozilla Foundation has launched a petition asking automakers to halt the data collecting initiatives from which they are unfairly profiting, saying that "our hope is that increasing awareness will encourage others to hold car companies accountable for their terrible privacy practises."
Read more »
Subscribe to: Posts (Atom)