Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Cars. Show all posts

Ransomware Strikes Auto Dealerships: The CDK Global Incident

Ransomware Strikes Auto Dealerships: The CDK Global Incident

The Attack

The automotive industry has faced an unprecedented challenge: a cyberattack targeting CDK Global, a major software provider for auto dealerships. This incident has sent shockwaves through the industry, affecting dealerships across the United States. In this blog post, we’ll delve into the details of the attack, its consequences, and the lessons we can learn from it.

What Happened?

CDK Global, a company that provides software solutions to auto dealers, fell victim to a ransomware attack. The attack was orchestrated by a group known as BlackSuit, which demanded a hefty ransom from CDK. As a precautionary measure, CDK temporarily shut down most of its systems to prevent further damage and protect its customers.

Impact on U.S. Car Dealers

Several major auto dealership groups reported disruptions:

Lithia Motors: Lithia Motors, one of the largest dealership networks in the U.S., faced operational challenges due to the CDK cyberattack. Their day-to-day processes, including inventory management and customer interactions, were affected.

Group 1 Automotive: Group 1 Automotive, another prominent player in the industry, experienced delays in vehicle sales and service. The attack disrupted their ability to process transactions efficiently.

Penske Automotive Group: Penske, a well-known name in auto retail, struggled with system outages. Their sales teams couldn’t access critical information, impacting customer service.

Sonic Automotive: Sonic Automotive’s dealerships grappled with inventory discrepancies. The attack disrupted their supply chain management, leading to delays in vehicle deliveries.

Asbury Automotive Group: Asbury Automotive Group faced challenges in communicating with customers. Their CRM systems were offline, affecting follow-ups and lead management.

AutoNation: AutoNation, a nationwide dealership network, had to adapt quickly. The attack disrupted their online sales platforms, affecting customer inquiries and transactions.

How to Stay Safe?

1. Cybersecurity Preparedness

The CDK incident underscores the importance of robust cybersecurity measures. Dealerships must invest in secure infrastructure, regular vulnerability assessments, and employee training. Cyber hygiene is crucial to prevent and mitigate attacks.

2. Incident Response Plans

Having a well-defined incident response plan is essential. Dealerships should know how to react swiftly when faced with a cyber threat. Regular drills and simulations can help teams prepare for such scenarios.

3. Vendor Risk Management

Dealerships rely on third-party vendors like CDK for critical services. Assessing vendor security practices and ensuring contractual obligations related to cybersecurity are met is vital. Regular audits can help identify vulnerabilities.

New Car Owners Beware: Study Finds Serious Data Protection Flaws

 


Modern gadgets have been collecting every bit of user data they can gather, just to sell it off to the highest bidder, ever since tech companies realized that data could be sold for dollars. While the user's car has long been a part of the data-sharing network, it seems that its contribution might be significantly greater than most of us would have expected. 

It may even be the biggest seller of users' personal information. There are so many so-called connected cars out there, cars that have internet access, that are becoming a regular part of the car driving experience, and the proliferation is raising concerns among consumers regarding their data privacy rights. 

As reported by Counterpoint Technology Market Research, more than 95% of the passenger cars sold by 2030 will be equipped with embedded connectivity, according to the company. Consequently, car manufacturers are now able to offer functions related to safety and security, predictive maintenance, and prognostics to their customers. 

Additionally, this opens the door for companies to collect, share, or sell personal information about individuals, including driving habits, and other information that people may not wish to share with others. Despite many car manufacturers' efforts to give consumers the option to opt out of excessive data sharing, Counterpoint senior analyst Parv Sharma explains that these options are often hidden within menus, which is also the case for many other consumer technologies where the sale of data has the potential to generate income. 

As a result of a McKinsey report published in 2021, various use cases of monetizing car data could result in an annual revenue stream of $250 billion to $400 billion for industry players by 2030 from multiple use cases for monetizing car data. It is true that there are valid reasons for collecting data from drivers and vehicles, such as those for emergency and security-related purposes, and that there may not always be a way for individuals to opt out of some essential services like that. 

It is important to share more data with other companies as a result of the fact that predictive maintenance enables manufacturers to detect when a part of their fleet is failing earlier than expected and to issue a recall on it, according to James Hodgson, ABI Research's director of smart mobility and automotive research. 

It is becoming increasingly apparent that there are privacy concerns surrounding the use of car companies to share driver information with insurers, and as car companies become involved in the insurance business, there is growing concern about privacy. For instance, driving habits and details regarding car usage might be reported to data collectors and passed along to insurance companies to make rate decisions based on those details. 

It's also important to understand that this is not the same as the new model of usage-based insurance that would allow drivers to earn lower rates if they allow insurers to embed devices into their cars that track their behaviour, which could be offered by companies such as Progressive and Root. There are widespread efforts underway by regulatory authorities to understand car manufacturers' data-sharing practices and to ensure that potential privacy violations are not committed. 

On the other hand, in response to the announcement made at its board meeting in July 2023 by the enforcement division of the California Privacy Protection Agency, there will be a review of the connected vehicle industry conducted under its purview. An official spokeswoman declined to comment further on that review, saying that it is underway. 

A federal investigation of the data-sharing practices of carmakers might also be a basis for federal action in the future. In Doubt-Keegan's view, publishing basic information about data practices can be insufficient to avoid the FTC's enforcement of those practices. There has been an increase in public awareness about this issue. There has been a letter sent (December) by Senator Edward J. Markey (D-Mass.) to 14 car manufacturers urging them to implement and enforce stronger privacy protections in their automobiles, as the senator is a member of the Senate Commerce, Science, and Transportation Committee.

Premiums Affected as Internet-Connected Cars Share Data with Insurers

 


All kinds of popular features, such as in-car apps, remote functions, and even Wi-Fi hot spots, are available on most new vehicles that offer internet services. In addition to being a goldmine of data for automakers, these "connected" cars can also serve as a goldmine for insurance companies as well. An article published in the New York Times this week discussed the extent to which tracking driver information can affect insurance rates, as well as how it may affect driver insurance rates. 

The insurance industry has in recent years provided incentives to consumers who install dongles in their cars or download smartphone apps that allow them to monitor a variety of things, including how much they drive, how fast they turn corners, how hard they hit the brakes, and whether or not they speed when driving. 

A patent application by Ford Motor describes how “drivers are traditionally reluctant to participate in such programs,” but instead, car companies are collecting information directly from internet-connected vehicles for use by insurance companies. This is the opposite of what's happening now. As far as tracking users' driving data regarding car insurance adjustments is concerned, it is not a new concept at all. 

If users prove that they are good drivers, they can often reduce their insurance premiums, normally by letting their insurance company track users' vehicle data such as trips taken, speeds, distance driven, etc. This is a way that the insurer will be able to lower users' premiums. Certainly, there is a significant difference between tracking of that type and what is emerging about the Smart Driver from General Motors. 

There are a lot of direct insurer tracking programs that help consumers save money on their bills, but Smart Driver is not a user's typical tracking program, most of its users are not knowingly entering into such an agreement seeking savings; in Smart Driver's case, as well as the way data is transmitted to insurers, the consent is not nearly as clear as it might seem. GM's "connected" services, OnStar Smart Driver, are known to share driver data with other auto manufacturers. 

According to Car and Driver, it was not surprising that other automakers also had a similar data-sharing program. The idea is fine when automakers effectively notify consumers that their data will be tracked and shared with others. A usage-based insurance policy entails that the insurance company monitors the behaviour of the driver to determine the best policy. 

There is a problem with the growing number of internet-connected vehicles that share the personal information of their drivers without these drivers even being aware that they have consented to this practice. Kenn Dahl says he has always been able to drive safely because he was careful as a child. In addition to driving a leased Chevrolet Bolt, he owns a software company near Seattle and owns one of its employees. Neither he nor anyone else in his family has a history of causing accidents. 

The cost of his auto insurance shot up by 21% in 2022, and Mr Dahl, 65, was shocked when he received a bill for a hike of such proportion. It was also not uncommon to receive high insurance quotes from other insurers as well. The insurer told him it was the LexisNexis report that he had on file that was a contributory factor.

It is important to understand that LexisNexis is a global data broker with a stake in the insurance and auto insurance industries and is known for keeping tabs on traffic accidents and speeding tickets in the automobile industry. LexisNexis sent Mr. Dahl his 258-page "consumer disclosure report" at his request as per the Fair Credit Reporting Act, which it is required to provide to customers under the law. 

Typically, someone will agree to the terms of service when they install or update an app on their smartphone, but they need to read the fine print before accepting these terms before installing or updating the app on their smartphone. Even though consumers are advised to carefully read contracts before agreeing to them, there is also a powerful argument that corporations must be transparent as to how and when their personal information is going to be shared with others.

This is why the California Privacy Protection Agency (CPPA) has enlisted the help of its Enforcement Division to investigate how and to what extent automobiles equipped with features such as location sharing, smartphone integration, web-based entertainment, and cameras could collect and share consumer data with others, according to a report from Reuters. 

The apprehension echoed by the US Department of Commerce regarding the prospective national security threats posed by Chinese electric vehicles (EVs) finds a parallel in the contemporary discourse surrounding the management of data about driving behaviour in "connected" automobiles.

Individuals keen on understanding the handling of such data by their vehicles are advised to diligently examine the privacy policies associated with any car applications they utilize. Additionally, consumers may avail themselves of consumer disclosure reports provided by LexisNexis, as mandated by the Fair Credit Reporting Act overseen by the Federal Trade Commission.

GM Cruise Halts Driverless Operations

General Motors' Cruise unit has suspended all driverless operations following a recent ban in California, halting their ambitious plans for a nationwide robotaxi service.

The decision comes in response to a regulatory setback in California, a state known for its stringent rules regarding autonomous vehicle testing. The California Department of Motor Vehicles revoked Cruise's permit to operate its autonomous vehicles without a human safety driver on board, citing concerns about safety protocols and reporting procedures.

This move has forced GM Cruise to halt all of its driverless operations, effectively putting a pause on its plans to launch a commercial robotaxi service. The company had previously announced its intention to deploy a fleet of autonomous vehicles for ride-hailing purposes in San Francisco and other major cities.

The suspension of operations is a significant blow to GM Cruise, as it now faces a setback in the race to deploy fully autonomous vehicles for commercial use. Other companies in the autonomous vehicle space, including Waymo and Tesla, have been making strides in the development and deployment of their autonomous technologies.

The California ban highlights the challenges and complexities surrounding the regulation of autonomous vehicles. Striking the right balance between innovation and safety is crucial, and incidents or regulatory concerns can lead to significant delays in the deployment of this technology.

While GM Cruise has expressed its commitment to working closely with regulators to address their concerns, the current situation raises questions about the timeline for the widespread adoption of autonomous vehicles. It also emphasizes the need for a unified regulatory framework that can provide clear guidelines for the testing and deployment of autonomous technologies.

In the meantime, GM Cruise will need to reassess its strategy and potentially explore other avenues for testing and deploying its autonomous vehicles. The company has invested heavily in the development of this technology, and overcoming regulatory hurdles will be a crucial step in realizing its vision of a driverless future.

The halt to GM Cruise's driverless robotaxi operations is a clear reminder of the difficulties and unknowns associated with the advancement of autonomous car technology. The safe and effective use of this ground-breaking technology will depend on companies and regulators working together as the industry develops.

Behind the Wheel, Under Surveillance: The Privacy Risks of Modern Cars

 


The auto industry is failing to give drivers control over their data privacy, according to researchers warning that modern cars are "wiretaps on wheels." An analysis published on Wednesday revealed that in an era when driving is becoming increasingly digital, some of the most popular car brands in the world are a privacy nightmare, collecting and selling personal information about their customers. 

According to the Mozilla Foundation's 'Privacy Not Included' survey, most major manufacturers admit to selling drivers' personal information, with half of those manufacturers saying they'd make it available without a court order to governments, law enforcement agencies, or the insurance company. 

Automobiles have become prodigious data-collection hubs since the proliferation of sensors - from telematics to fully digitalised control consoles - has enabled us to collect huge amounts of data about vehicles. 

The findings of a new study indicate that car brands intentionally collect "too much personal data" from drivers, which gives them little or no choice regarding what they want to share. In addition to automobiles, the new study also examined products from a wide variety of categories, including mental health apps, electronic entertainment devices, smart home devices, wearables, fitness products, and health and exercise products, among other categories. 

There is, however, one concern that the authors addressed when reviewing cars, namely that they found them to be the worst products in terms of privacy, calling them a "privacy nightmare". Mozilla Foundation Spokesperson Kevin Zawacki stated that cars were the first category to be reviewed in which all of the products were given the warning label "Privacy Not Included" in the privacy information. 

As reported by several different sources, all car brands are also said to be collecting a significant amount of personal information about their customers, with 84% sharing or selling their collected data. According to the study, car manufacturers are becoming tech manufacturers in order to collect data from their customers that can easily be shared or sold without their knowledge or permission, which is why privacy concerns are rising. 

Among other things, the data from the car includes super in-depth information about the car user, such as biometric information, medical information, genetic information, driving speeds, travel locations, and music preferences; among many other things. 

Taking care of your privacy is one of the most frustrating aspects of owning a car for several reasons. In addition to the fact that they collect too much personal information, as stated in the report, many automakers do the same. 

The report goes on to explain that every manufacturer does the same thing. From the way users interact with their cars to data from third parties such as Google Maps, this type of data can include many different kinds of information. 

Some cars can even collect data from the phones associated with them if they have an accompanying app. There is perhaps nothing worse about these kinds of privacy violations than the fact that there is no way for the user, unlike with devices like TVs, to opt out of them. 

As far as the user's data is concerned, 92% of car manufacturers do not allow them to have control over it - while only two car manufacturers allow the user to delete the data they have collected. Mozilla has identified no car company that has met its Minimum Security Standards, which include the very basics as well as such things as encrypted data. 

Caltrider mentioned that car buyers are limited to several options if they do not opt for a used, pre-digital model. Since 2017, Mozilla has studied a wide range of products - including fitness trackers, reproductive-health apps, smart speakers, and other connected home appliances - and since 2017, cars ranked lowest for privacy out of more than a dozen product categories. 

Is it Possible for Cars to Spy on Drivers? 

There has been a trend of automakers openly bragging about their cars being 'computers on wheels' for years to promote their advanced features, but these features have been especially augmented with the advent of the internet, which has transformed new cars into "powerful data-hungry machines," according to Mozilla. 

Nowadays, there are cameras mounted on both sides of the vehicle, microphones, and many other sensors that assist in monitoring driver activity. The companies that provide apps, maps, and connected services that combine with your phone collect or access your data when you pair the phone to the computer.

A lot of car buyers don't have many choices on the market today, other than opting for a used, pre-digital model, Caltrider told the Associated Press. She points out that automobile manufacturers seem to behave better in Europe, where the laws are tougher, and she believes the United States could pass similar laws if they wished. 

The Mozilla Foundation is hoping that raising awareness among consumers will raise awareness and fuel a backlash against companies that are guilty of the same kind of surveillance practices in their "smart" devices, as was the case with TV manufacturers during the 2010s. "Cars seem to have slipped under the radar in terms of privacy."

European Police Arrest a Group That Hacked Wireless Key Fobs to Steal Cars

 

Europe Police have arrested 31 people for alleged involvement in a sophisticated plot to steal connected vehicles. 

Police from France, Spain, and Latvia collaborated with Europol and the European judicial cooperation agency Eurojust to search 22 locations and seize more than €1 million in criminal assets. Car thieves targeted two unnamed French car manufacturers, replacing legitimate software loaded onto vehicles with a tool marketed as a "automotive diagnostic solution." 

According to Europol, this allowed them to open the doors and start the ignition without using the key fob. Other details are limited at this point, presumably to prevent copycat attacks. However, authorities arrested not only some of the suspected car thieves but also the suspected malware developers and resellers.

It's unclear whether the hacking tool was created by a single group and then used to steal cars, or if it was primarily sold to other criminal gangs.

The French Gendarmerie's Cybercrime Centre (C3N) launched the investigation, but Europol claimed to have been supporting the case since March 2022 with "extensive analysis and the dissemination of intelligence packages" to all affected countries. That would seem to imply that gangs from different jurisdictions used the same tools to gain access to and steal vehicles from the targeted manufacturers.

Europol also shared a screenshot of a domain seizure notice, which reads, "This service has been seized by the Gendarmerie Nationale cyberspace command under the authority of the French Paris Prosecutor's Office."

This implies that the hacking tool in question was being sold online to third parties. Although much research has been conducted in recent years on the potential threat to car safety from keyless entry attacks, there have been few notable real-life cases.