Social Network For Security Executives: Network, Learn & Collaborate
No doubt you had heard about Chrysler’s recall of affected cars as it appeared in all the top media. You’ll be even more surprised if you see how many recalls happened because of technical issues in recent months. But there is something that we may miss beyond the headlines, some important potential sabotage vectors may happen or are even happening now to increase these statistics. While it looks like a script for a new episode of Mr. Robot, I think this is much more realistic than you may expect. Let’s first look at the current situation.
When I started collecting information of vehicle recalls I expected to see a couple of examples in total, but I have found a dozen for last months alone! Here are the major recalls happened this summer:
Vehicle recalls are probably the most popular recalls in the manufacturing industry dating back to a long time. One of the first examples of the recall took place in 1969 when rubber parts in V-8-powered General Motors engine mounts would give out, causing the engine to come free, twist upward and pull open the throttle, resulting in rapid acceleration. It would often disable brake assistance, making it harder to stop the car. By 1971, 172 cases of engine-mount failure had been reported, leading to dire consequences (63 accidents and 18 injuries).
If you look at the 12 largest auto recalls in the history totally affecting nearly 100 million of vehicles, you find out some other major reasons. Here are the top 5 auto recalls in history:
The most popular recalls happened because of airbag issues, faulty seatbelt buckle, stone-guard assembly issues, and bolt failures.
It’s absolutely clear that software bugs and errors in the manufacturing process are the major reasons for recalls. To make the long story short, if this can happen by mistake and nobody detects it, somebody, be it competitor committing a sabotage attack or an anonymous group of hackers driven by ideological motives, may use this flaw with malicious intent.
Traditionally, manufacturing, planning and designing processes are managed in enterprise business applications such as MES, PLM, or CAD systems. For successful attack on company, a cybercriminal needs to get access to these applications and make some minor changes in the following systems: in CAD during construction side, in PLM system during product lifecycle management configurations or directly in the MES system during manufacturing. The level of MES and PLM integration and automation provides opportunities for attackers to easily implement some modifications into those highly connected systems. Siemens (one of the largest vendors providing solutions for automotive industry) tells that “PLM-MES integration allows you to continuously respond to shifting demands by distributing your latest product designs and assembly methods to a more connected, more efficient and more effective production value chain, assuring complete visibility between your production and engineering domains”. So, nowadays production and engineering fields are not something isolated, they are connected to corporate network vulnerable to traditional malware and attacks.
The story of Stuxnet has shown, that these attacks on some technology modules are real and have already been executed against SCADA systems and PLCs. Technically for hackers there is not a big difference in this attack and gaining access to those systems. Moreover, security of these systems is even weaker than security of SCADA/PLC systems. As SCADA systems, companies started implementing SDL and at least somehow monitoring security of those devices using some vulnerability management and event management solutions. But in enterprises nobody takes care about MES/PLM security responsibly. We should not forget that those systems are traditionally connected with other applications such as ERP, where is also a large number of vulnerabilities, according to “SAP Security in Figures” report. So, finally, getting unauthorized access to PLM or MES is a quite easy process for hackers.
As for the potential attack vectors against automotive institutions, here is a simple example. What will happen if somebody changes the pressure of wheel bolt in PLM system during product lifecycle management configurations or directly in the MES system during manufacturing? Of course, there may be many additional checks to identify this problem during car usage, but in some cases this really may lead to car accident when you ride 120 mph on the highway and the wheel falls off. It was just the first idea, but I found the real example of the recall because of suspension bolt failure which affected almost 6 million Buick cars in 1981. Suspension bolt failure has much in common with this simple idea. “If any part of the rear suspension fails at speed, the probability of passenger drama is high. With this in mind, GM agreed to replace rear-control-arm bolts on a number of models in the early 1980s, when reports surfaced that the bolts could fracture or loosen, leading to a loss of control.” A real attacker may conduct something more critical and less visible, such as bugs in airbags that prevent their Inflation in some situations. Not every time, because it will be able to identify during a crash test, but it may occur randomly. These types of attacks are not only subject to car recalls but also can lead to human injuries, which can destroy the reputation of a victim company.
As a conclusion, I hope that you got my point and if it still doesn’t look very realistic, remember any of public incidents seemed unrealizable before, I think in current situation we have to accept the idea that everything can happen. A year ago a remote attack on car seemed something impossible and 3 years ago no one could imagine a local attack on car, so it's just a question of time. But the fact is that no one knows whether such attacks have been performed already or even one of these vehicle recalls was a consequence of a competitors’ attack.