By David Mor-Ofek, Head of Product
A New Era of High-Tech Car Theft
Imagine your car being stolen through your headlight. Sounds like a fictional tale from a sci-fi movie, right? Well, in today’s day and age, it’s much closer to reality than you’d like. This story begins with Ian Tabor, a cybersecurity researcher, who lost his vehicle through this exact scenario. The thieves hadn’t hot-wired his car or smashed the window. Instead, they had tampered with his car’s headlight, leading to a high-tech hack that revealed an alarming vulnerability in his Toyota Rav4 vehicle, and millions of others.
The Nerve Centre: Exploring the CAN Bus
Central to this issue is the Controller Area Network (CAN bus). This communication network, akin to a car’s nervous system, connects various electronic components, ensuring everything from engine management to power steering functions seamlessly.
If this system is compromised, it can lead to grave consequences including theft and tampering with safety systems. Disturbingly, numerous components in vehicles such as Ian’s – headlight, stereo, and in-car entertainment system can serve as potential entry points for hackers to access the CAN bus.
Oversights in Vehicle Security
The main reason for Ian’s situation was with the way the car was made by the car maker (OEM). There are many different companies, suppliers, and teams involved in the product lifecycle of a vehicle – from design, to development, testing, production, and post-production, and in this case, the car maker didn’t pay enough attention to the risk of the car’s CAN bus being accessed from outside the vehicle. It was important for someone to realize that the CAN bus was too physically close to a point on the car where it could be accessed from outside, like the headlights. This incident indicates that there’s a clear disconnect between teams, a gap between how the development of the vehicle was planned and how it actually works in practice.
Strategies to Strengthen Your Security Posture
To combat this issue, car makers need to:
- Integrate robust security practices and tool in their product development lifecycle
- Implement a detailed Threat Analysis and Risk Assessment (TARA) during design and development phases to identify security risks.
- Leverage automation tools, as DevSecOps solutions, to foster collaboration among teams, and with external suppliers.
- Employ better fuzzing practices and improve vulnerability management to detect potential issues like this CAN bus vulnerability before the production phase.
EVSec Platform connects risk information (TARA) with data layers, a unique approach for SBOM & Vulnerability Management. By leveraging this connection, users can incorporate SBOM and HW BOM data layers directly into the cyber model and the system design threat modeling information, gaining visibility into the impact of different systems found in the BOM and their effect on the overall risk profile of the project.
EVSec cyber model approach enables delegation of specific systems and sub-systems within the model to different stakeholders, whether teams in the organization or suppliers, while also providing the ability to monitor the progress of various tasks such as SBOM information ingestion, open event remediations, patch versioning, and more. EVSec further supports management through its intuitive dashboard providing an overview of projects and actionable items. This increases transparency and enables communication between teams and stakeholders, ensuring prompt attention to tasks and projects requiring immediate action.
Turning Security to a Business Value Multiplier
EVSec Platform is the first and only mobility-centric DevSecOps Platform. We empower customers to develop new software-based revenue streams and release more secure products, while adhering to existing and evolving regulations and standards. Click here to schedule a demo with our team.