Page 53 - Cyber Defense eMagazine December 2023
P. 53
The automotive industry faces the dual challenge of ensuring data privacy (GDPR and California
Consumer Privacy Act (CCPA) compliance) and securing its assets against cyber threats. A breach here
could result in customer identity theft, financial fraud, and hefty regulatory fines. The recent breaches
involving major automakers are stark reminders of the urgent need for an improved secrets management
posture. Daimler, Nissan, Toyota, and others faced incidents where sensitive customer data was
inadvertently exposed due to misconfigurations and exposed secrets.
This should be no surprise, particularly for those acquainted with the alarming revelations from the
GitGuardian State of Secrets Sprawl report. The study unveiled a staggering 10 million secrets left
exposed on public GitHub repositories in 2022 alone. It's a concern that casts a broad shadow, touching
applications, the entire supply chain, and the backbone of critical infrastructure.
Elevated Risks of Neglecting Secrets Security
Approximately 85% of automotive software comprises open-source code and components sourced from
upstream vendors. A breach in one component could impact multiple car models across different
manufacturers. So, it's imperative to scrutinize every link in the automotive supply chain for potential
secrets incidents. After all, hardcoded credentials in vehicles aren't limited to automakers alone; they
extend throughout the supply chain. Each component, equipped with its software, may harbor embedded
secrets, sometimes lacking robust security measures for safeguarding them.
Within this intricately connected ecosystem, the Telematics server is a pivotal gateway, receiving data
from vehicles and executing remote commands. Unfortunately, they are often inadequately protected,
leaving vehicles susceptible to unauthorized access. A breach in this system could have dire
consequences – from locking owners out of their vehicles to initiating erratic and potentially dangerous
behaviors. In extreme cases, attackers could even seize control of a vehicle's steering, imperiling lives
on the road. This underscores the critical need for robust secrets security within Android and iOS
applications, and the command and control (C&C) infrastructure.
There has been an ongoing "right to repair" debate in this broader industry landscape. A significant step
forward has been taken, granting independent repair shops access to vital vehicle data. However, as this
access expands, so does the concern for data security. Protecting important software-defined
components becomes paramount, ensuring they don't inadvertently expose sensitive code and user
information. In this regard, secrets detection emerges as a critical layer of defense, guaranteeing that
even with expanded access, sensitive data remains secure.
As vehicles increasingly undergo updates via Over-The-Air (OTA) processes, it creates a potential entry
point for attackers. Intercepting, dissecting, and manipulating these updates can unveil hidden features,
functions, and sensitive information, including "hardcoded secrets," paving the way for ransomware
attacks. This highlights the critical importance of safeguarding sensitive code and user information. As
the automotive industry hurtles into the digital age, one thing is abundantly clear: the safety and security
of both vehicles and their passengers hinge on robust secrets protection.
Cyber Defense eMagazine – December 2023 Edition 53
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.