We need to learn, as an industry, from our mistakes. When these are identified, as part of the SDLC, the oversights should be addressed immediately, based on the criticality of the issue. InfoSec is no different. If there is a vulnerability noted, it should be remediated as soon as possible. This may take a bit of time to resolve and may need to be implemented in the next model year of a product or software release, depending on the circumstances. If the issue is noted and acknowledged by the company, and is not resolved within a reasonable amount of time, there is a bigger, more systemic problem to be considered.
Mid-year 2017, there was a compromise published with the Mazda vehicles targeted. The PoC was titled the Bad Valet attack, which exploited the USB port as the attack vector. The targeted models began with the 2014 model year. The exploit worked by the user plugging in a malware laden USB. The malware involved accessed the Linux OS in the infotainment system, and allowed for modifications. Per Mazda this was patched.
Along comes 2018 and two new researchers, with a like attack. This also used the USB stick and requires 10 seconds for the USB to be inserted into the port. This malware collects data from the user's smartphone (e.g. text messages, call records, photos, contacts, GPS history, and emails), along with vehicle's geographic location. The malware exploits the autorun option that had been enabled with the infotainment system.
These attacks indicate there are issues with the development team tasked with the OS. The DevOps should incorporate InfoSec. The cost and time savings of SecDevOps have been documented, and should be applied.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!