Industrial Control Systems Security Influences Electric Car Companies

     Automotive companies that produce electric vehicles such as Tesla, BMW, and Nissan are being inspired by strategies that have been created for critical infrastructure systems to secure their vehicles. With vulnerabilities for accessing and controlling electric vehicles are becoming more prevalent, companies are taking a page out of Critical Infrastructure Sectors playbook for securing their systems, by introducing Intrusion Detection Systems (IDS), secure boots, and more comprehensive authentication for users. Securing these avenues of attacks are relevant to Industrial Control Systems (ICS) area, because these breaches affect the production and manufacturing sectors of the designated Critical Infrastructure Sectors. Exploiting vulnerabilities that involve mobile applications and a vehicle’s head unit is a physical representation of exploiting the logical “air gap” of a vehicles system to locate, track, and in some cases drive away in individual’s car.

Vulnerabilities described

The common route to exploiting a vehicle is accessing its automotive head unit, which is a small computer that listens to communication of other electronic systems in the car and disperses data throughout the car and to the user. In the case of Tesla, attackers can create a rogue access point that caters to Tesla drivers at vehicle charging stations, that directs the user to a related application in the Google Play store. The application that is needed to be downloaded contains malicious software that gains access to the vehicle’s applications. Once the attacker has that access, the attacker can track the vehicles location via Global Positioning Satellite (GPS), unlock the vehicles doors, and drive away in the vehicle. For the Nissan Leaf, Android and iOS applications are used to allow users to manage their vehicles features. The only authentication needed to access a user’s vehicle application, is the vehicle identification number (VIN). In the case of Nissan Leaf all their VINs are the same except the last 5 digits. Gaining access to these applications allows an attacker to drain the battery of the vehicle and/or gain driving history presenting a security and privacy risk.

Reference

Virus & Threats: Information Security News, IT Security News and Cybersecurity Insights. (n.d.). Retrieved from https://www.securityweek.com/virus-threats?page=61&$Version=1&$Path=/.