A range of automakers from Toyota to Acura is affected by vulnerabilities within their vehicles that can let hackers steal personally identifiable information (PII), lock owners out of their vehicles, and even control functions like starting and stopping the vehicle's engine.
A team of seven security experts said vulnerabilities in the automakers' internal applications and systems gave them a proof-of-concept hack to send commands using only the vehicle identification number (VIN), which can be seen through the windshield outside the vehicle.
The team has found serious security loopholes from automakers like BMW, Ford, Volvo, Ferrari, and various others throughout Europe, the US, and Asia. It has also found problems with suppliers and telematic companies like Spireon, which makes Gps-based vehicle tracking solutions.
BMW said that IT and data security are the top priorities for the company, and it continuously monitors its system landscapes for potential security threats or vulnerabilities.
"The relevant addressed vulnerability issues were closed within 24 hours and we have no indication of any data leaks. No vehicle-related IT systems were affected or compromised. No BMW Group customers or employee accounts were compromised," a spokesperson at BMW said.
This is the most recent security threat that surfaced, in March last year, telemetry from industrial systems security firm Dragons found Emotet command-and-control servers in contact with various automotive manufacturer systems.
In December, experts found vulnerabilities in three mobile apps that let drivers remotely unlock or start their vehicles. These bugs allowed unauthorized malicious actors to perform the same commands from afar.
Security vulnerabilities have been a challenge in the automotive industry for a long time, and automakers are not very proactive in identifying the potential severity of the threat developments.
Experts believe that while automakers are slowly changing into software developers, they find it difficult to address all points of the development cycle- which includes security.
One very simple notion is if you're not good at software, you're probably not going to be very good at making that software safe. That is guaranteed." "Automakers look at this in a more reactive way than a proactive way, basically saying we'll address the small number of customers affected and solve the issue and then everything goes back to normal," he says. "That's the way of thinking for many carmakers," said Gartner automotive industry analyst Pedro Pacheco.
When automakers make more sophisticated ecosystems that connect customers with app stores and connect them with their smartphones and other connected devices, the stakes also get high.
"This is the reason why cybersecurity is going to become more and more of a pressing issue," said Pedro. "The more the vehicle takes over driving, then of course the more chances there are that this can be used against the customer and against the automaker. It hasn't happened yet, but it could very well happen in the future."