People Remain Biggest Cyber-Security Attack Surface, Says BlackBerry

By Louis Bedigian

---

10th July 2019

Cyber-security fraud presents a major obstacle for automakers and mobility services considering an autonomous future.

This was especially apparent when car2go, a car-sharing subsidiary of Daimler, was temporarily suspended in Chicago after several cars were stolen. Service was restored quickly as the company assured customers that no personal or confidential member information had been compromised. Fraud proved to be the culprit, however, providing a clear reminder that not all threats start with hacking or cyber attacks.

“The thing we miss out on and forget about when we talk about cyber-security is that it’s no different from any other form of security,” said Jeff Davis, head of smart transportation innovation and development at BlackBerry. “It’s based on risk and value. Where things start to become dangerous, whether it’s using fraud, phishing or some advanced technological means, doesn’t really matter. It’s what is motivating the individual making the attempt.”

With the average price exceeding $30,000 in the United States, motor vehicles are a particularly attractive asset. The value will continue to rise as cars become more expensive through the addition of connectivity, autonomy and other new features. Further complications could follow when banking and/or payment information is added to the vehicle. Some consumers are already worried that their credit card might be skimmed at the pump but what happens when that same data could be taken from the car without anyone knowing?

“We get caught up in the technological side but the reality is that it’s about the value in that individual attack,” said Davis. “Once you have banking and payment information in the car, you now have a reason – a motive for someone to go ahead and get hold of that. Whatever means they use to do that, most of the time, comes down to a human being. Even some of the most advanced hacks that we look at start with fraud.”

Davis pointed to the Pentagon cyber attack that occurred in 2008, which was carried out with an infected USB storage device. “It started with somebody finding a way into a thumb drive,” said Davis. “Understanding, socially, that’s how people behaved in the Pentagon – they used thumb drives to pass data here and there. That was the attack surface. All these cases come down to fraud. Human error will always be one of the weaker spots when it comes to security.”

Despite the rush to eliminate human error behind the wheel, there has been little effort toward eliminating human mistakes outside the car that could increase its vulnerability. “You will never 100% overcome it,” Davis warned. “As long as there are people trying to break in, they will find a way to find weaknesses within human beings to work through that.”

Unforeseen risks of car theft

Most malicious threat actors are after data. If the data appears to have more value than the car itself, or if it’s simply easier to steal with a lower chance of getting caught, data could also be what tomorrow’s car thieves are after. Davis suggested that one solution involves implementing a form of data lockdown or erasure. This could be similar to the way that some phones lock and erase data if the device is stolen but it’s not foolproof.

“Data privacy is not something we’ve had to deal with as an industry,” said Davis. “I think a big piece of it goes back down to controls. How much data do companies take, receive, hold, when, why and where? When you look at all that, how do they protect it? Where are the controls put in place?”

Uber and Lyft accounts were recently hacked in a money-laundering scheme involving fake rides. No drivers or passengers were physically harmed but it’s another example of how broad these breaches have become. This is on top of those who have been caught stealing rides from paying customers, as well as drivers who pretend to work for Uber to steal fares.

“In essence, you’re maybe not stealing a car but you’re stealing someone’s mobility,” said Davis. “You’re using their identity, mobility and money to get yourself around. It is, in effect, the future version of stealing a car. As cars become autonomous, the ability to do that will still remain.”

There will be a lot to learn in the years to come but Davis refrained from speculating on the kinds of attacks that could happen next. Instead, he said the focus should stay on human vulnerabilities and how to solve them. “Where do you have people in your system that can be fooled or tricked?” he questioned. “The way that people are breaking into almost every system now, it’s using people. That’s been the most effective and continues to be the most effective vector for any type of attack, whether it’s basic fraud or a cyber-security attack.”