Posts

ChatGPT and automotive cybersecurity #2/2: TISAX certification

/in

This is the 2nd post about Automotive Cybersecurity.

Since I am working these days on CSMS (based on ISO ECE 21434 and TISAX), part of my companies consulting offer for automotive I thought maybe I check what ChatGPT things about them.

 

First post was about CSMS and ISO 21434 and this one is about TISAX.

 

Query:

Tell me about challenges in TISAX certification 

 

ChatGPT:

“TISAX (Trusted Information Security Assessment Exchange) is a security assessment and certification process for automotive suppliers. The certification is used to evaluate and ensure the information security capabilities of companies in the automotive sector.

There are several challenges associated with TISAX certification:

  • Complex requirements: TISAX has extensive and complex security requirements that can be difficult to understand and implement. Companies may struggle to meet these requirements and may need help from experts to achieve certification.
  • Resource constraints: Implementing the security measures required for TISAX certification can be resource-intensive and time-consuming. This can be especially challenging for small or medium-sized businesses.
  • Technical difficulties: Companies may face technical challenges in implementing the necessary security controls, particularly if their existing systems are not well-suited to the TISAX requirements.
  • Cost: The cost of TISAX certification can be significant, and this may be a challenge for companies with limited budgets.
  • Maintenance: TISAX certification must be maintained, and companies must continually evaluate and improve their security controls to stay certified. This can be a challenge, as the threat landscape is constantly evolving and new risks emerge.

Overall, TISAX certification requires a substantial investment of time, resources, and expertise, but it is considered an important aspect of information security for companies operating in the automotive sector.”

 

So, I have to say that this impressed me a bit …

I have always difficulties explaining to my customers why is it so hard to pass the TISAX audit.

It is all true, and actually it is quite a challenge to get companies to commit to a long term cooperation with a consulting company, which can help them understand the requirements and teach them how to apply them.

 

Conclusion: 

I will get back to ChatGPT from time to time and try to get such short descriptions for various things I need.

The post ChatGPT and automotive cybersecurity #2/2: TISAX certification first appeared on Sorin Mustaca on Cybersecurity.

ChatGPT and automotive cybersecurity #1/2: About CSMS from ISO 21434

/in

As promised, I played more with ChatGPT and this time I started to dig a bit into cybersecurity for automotive.

Since I am working these days on CSMS (based on ISO ECE 21434 and TISAX), part of my companies consulting offer for automotive I thought maybe I check what ChatGPT things about them.

Unfortunately, nothing dramatically new, a form of what a google search gives you. However, the model answered something interesting about TISAX, which usually I, as a human would probably answer.  ( No, this post is not written by ChatGPT: 🙂   )

 

Here it is:

 

Query:

Tell me about CSMS from ISO 21434

 

ChatGPT:

CSMS (Cybersecurity Management System) is a framework for managing cybersecurity within an organization, as defined in ISO 21434. ISO 21434 is an international standard for automotive cybersecurity that provides guidelines for the development and implementation of cybersecurity measures in the automotive sector.
CSMS is designed to help organizations manage cybersecurity risks and protect against cyber threats.

It is based on the same principles as other management systems, such as quality management or environmental management, and provides a structured approach to managing cybersecurity.

The framework covers a range of cybersecurity-related activities, including:

  • Threat identification and assessment
  • Risk management
  • Security controls and measures
  • Incident management
  • Continuous improvement

CSMS is designed to be flexible and adaptable, allowing organizations to tailor the framework to meet their specific needs and requirements.

The standard also provides a basis for certification, enabling organizations to demonstrate their commitment to cybersecurity and their ability to effectively manage cybersecurity risks.

In summary, CSMS from ISO 21434 provides a comprehensive framework for managing cybersecurity and is an important aspect of information security for organizations operating in the automotive sector.”

 

This text is not returned by a google search. If I search the exact same terms, google returns me a bunch of links and ads (4 Ads, 9 links, 1 ad) and some Youtube videos.

So, is this text relevant?

Yes, it is a very good summary. I will actually use it in the offerings of my company.

 

 

Part #2 is about “TISAX certification”.

 

The post ChatGPT and automotive cybersecurity #1/2: About CSMS from ISO 21434 first appeared on Sorin Mustaca on Cybersecurity.

A brief history of software vulnerabilities in vehicles (Update 2023)

/in

Updated in 2023:

  • 2023: Sam Curry: Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More
    • Kia, Honda, Infiniti, Nissan, Acura
      • Fully remote lock, unlock, engine start, engine stop, precision locate, flash headlights, and honk vehicles using only the VIN number
      • Fully remote account takeover and PII disclosure via VIN number (name, phone number, email address, physical address)
      • Ability to lock users out of remotely managing their vehicle, change ownership
        • For Kia’s specifically, we could remotely access the 360-view camera and view live images from the car
    • Mercedes-Benz
      • Access to hundreds of mission-critical internal applications via improperly configured SSO, including…
        • Multiple Github instances behind SSO
        • Company-wide internal chat tool, ability to join nearly any channel
        • SonarQube, Jenkins, misc. build servers
        • Internal cloud deployment services for managing AWS instances
        • Internal Vehicle related APIs
      • Remote Code Execution on multiple systems
      • Memory leaks leading to employee/customer PII disclosure, account access
    • Hyundai, Genesis
      • Fully remote lock, unlock, engine start, engine stop, precision locate, flash headlights, and honk vehicles using only the victim email address
      • Fully remote account takeover and PII disclosure via victim email address (name, phone number, email address, physical address)
      • Ability to lock users out of remotely managing their vehicle, change ownership
    • BMW, Rolls Royce
      • Company-wide core SSO vulnerabilities which allowed us to access any employee application as any employee, allowed us to…
        • Access to internal dealer portals where you can query any VIN number to retrieve sales documents for BMW
        • Access any application locked behind SSO on behalf of any employee, including applications used by remote workers and dealerships
    • Ferrari
      • Full zero-interaction account takeover for any Ferrari customer account
      • IDOR to access all Ferrari customer records
      • Lack of access control allowing an attacker to create, modify, delete employee “back office” administrator user accounts and all user accounts with capabilities to modify Ferrari owned web pages through the CMS system
      • Ability to add HTTP routes on api.ferrari.com (rest-connectors) and view all existing rest-connectors and secrets associated with them (authorization headers)
    • Spireon
      • Multiple vulnerabilities, including:
        • Full administrator access to a company-wide administration panel with ability to send arbitrary commands to an estimated 15.5 million vehicles (unlock, start engine, disable starter, etc.), read any device location, and flash/update device firmware
        • Remote code execution on core systems for managing user accounts, devices, and fleets. Ability to access and manage all data across all of Spireon
        • Ability to fully takeover any fleet (this would’ve allowed us to track & shut off starters for police, ambulances, and law enforcement vehicles for a number of different large cities and dispatch commands to those vehicles, e.g. “navigate to this location”)
        • Full administrative access to all Spireon products, […]
        • In total, there were…
          • 15.5 million devices (mostly vehicles)
          • 1.2 million user accounts (end user accounts, fleet managers, etc.)
    • Ford
      • Full memory disclosure on production vehicle Telematics API discloses
        • Discloses customer PII and access tokens for tracking and executing commands on vehicles
        • Discloses configuration credentials used for internal services related to Telematics
        • Ability to authenticate into customer account and access all PII and perform actions against vehicles
      • Customer account takeover via improper URL parsing, allows an attacker to completely access victim account including vehicle portal
    • Reviver
      • Full super administrative access to manage all user accounts and vehicles for all Reviver connected vehicles. An attacker could perform the following:
        • Track the physical GPS location and manage the license plate for all Reviver customers (e.g. changing the slogan at the bottom of the license plate to arbitrary text)
        • Update any vehicle status to “STOLEN” which updates the license plate and informs authorities
        • Access all user records, including what vehicles people owned, their physical address, phone number, and email address
        • Access the fleet management functionality for any company, locate and manage all vehicles in a fleet
    • Porsche
      • Ability to send retrieve vehicle location, send vehicle commands, and retrieve customer information via vulnerabilities affecting the vehicle Telematics service
    • Toyota
      • IDOR on Toyota Financial that discloses the name, phone number, email address, and loan status of any Toyota financial customers
    • Jaguar, Land Rover
      • User account IDOR disclosing password hash, name, phone number, physical address, and vehicle information
    • SiriusXM
      • Leaked AWS keys with full organizational read/write S3 access, ability to retrieve all files including (what appeared to be) user databases, source code, and config files for Sirius

Car Hacking News Timeline 2017-2019 [1]

  • 2019: Hack of an OEM’s automotive cloud via third-party services and tier-1 supplier network
  • 2019: Memory vulnerability at a cloud provider exposed data incl. passwords, API keys, and tokens
  • 2019: A malware infection caused significant production disruption at a car parts manufacturer
  • 2019: Vehicle data exposed during registration allowed for remote denial-of-service attacks on cars
  • 2019: Malware infected the back end, making laptops installed in police cars unusable
  • 2018: An ex-employee breached the company network and downloaded large volumes of personal information
  • 2018: Cloud servers hacked and used for cryptomining
  • 2018: Researchers exploited vulnerabilities of some infotainment systems and gained control of microphones, speakers, and navigation systems
  • 2018: Security issues discovered in 13 car-sharing apps
  • 2018: Researchers demonstrated >10 vulnerabilities in various car models, gaining local and remote access to infotainment, telematics, and CAN buses
  • 2018: EV home chargers could be controlled by accessing the home Wi-Fi network
  • 2017: Rental car companies exposed personal data
  • 2017: Ransomware caused the stop of production across several plants

Car Hacking News Timeline 2002-2015 [2]

 

 

 

Sources:

  1. McKinsey – Cybersecurity in automotive
  2. https://www.iamthecavalry.org/domains/automotive/
  3. https://smart.gi-de.com/automotive/brief-history-car-hacking-2010-present/