Give a man a fish, and you feed him for a day. Teach a man to ransom your data, and you feed a cyber-criminal for life.
—modernized take on an ancient Chinese proverb
Ransomware is officially a billion-dollar industry. Actually, that’s not a completely accurate statement. It’s not like Conti Ransomware and the fittingly-named Evil Corp — two of the prime movers in the increasingly lucrative hacking industry — are listed on the NASDAQ and have to report their earnings to the SEC. Nonetheless, estimates place ransomware payments in the region of US$450 million in the first six months of last year. According to Nikkei Asia, cyber-attacks are so lucrative that North Korea gets half its foreign currency from cyber-theft.
Worse yet, the number of the attacks and the payments the “abductors” exact seem to be doubling every year, The Economist reporting that the average payment for an “attack” increased from US$800,000 in 2022; to more than US$1.5 million in 2023. As to why what was once regarded as a “niche cyber-crime problem” is now so very ubiquitous, that’s simple: virtually all the experts Motor Mouth spoke with say we have the anonymity of cryptocurrency to thank for the increasingly frequent attacks. Their “exploits” are not only now more profitable, but their filthy lucre easier to hide.
For those that don’t know what ransomware is, it is officially – assuming the Oxford Dictionary is still “official” — defined as “a type of malicious software designed to block access to a computer system until a sum of money is paid.” In simpler terms, someone — most often Russian hackers, it seems — holds your data “hostage” until you, well, pay a ransom. Hospital emergency centres, medical research labs, essential utilities, or really anything deemed essential — even, says The New Yorker, London’s world-renowned British Library, since “ransomware-as-a-service” provider Rhysida recently stymied access to its 14 million books — are deemed prime targets.
Recommended from Editorial
Motor Mouth: Ransomware is the future of car theft
Motor Mouth: This patent may be Ford’s dumbest idea ever
In the automotive world, the basest form of ransomware attack would be a thief stealing your car without, well, ever taking possession of it. Imagine the frustration of being able to see, touch, or even, if Vlad-the-digital-delinquent wanted to be especially diabolical about it, sit in your vehicle, but it remaining functionally useless to you — “bricked,” as they say in biz — until you pay a ransom to someone whose only connection to you and your car is but some distant cyber-link.
As horrific as the “theft” of your pride and joy might seem — and traditional car theft is also on the rise, the Toronto Star recently reporting that auto theft in the city is at a 20-year high — it is but the tip of the proverbial cyber-attack iceberg. The truth is that, although the auto industry has managed to keep most of its vulnerabilities out of the spotlight, transportation-sector ransomware attacks are growing. Exponentially, in fact, with Yoav Levy, co-founder and CEO of Upstream Security, an Israeli company that combats data exploitation in the automotive sector, estimating that cyber-related “exploits” have nearly doubled in the last few years.
And not only are they increasing in frequency, they are growing in magnitude, as well. In just one of the vulnerabilities exposed this year, a ransomware attack on Orbcomm, a fleet management provider, prevented trucking companies across North America from making deliveries or even tracking their inventory. According to bleepingcomputer.com — yes, the absolutely best name for a website ever — truckers were forced were forced to to go back to paper logs to make what deliveries they could.
Whatever the hack, the message is always the same: pay the ransom, or welcome back the 20th century. Automakers, meanwhile, are the most targeted manufacturing subsector, says SOCRadar, accounting for one-third “of the total attacks against the manufacturing industry:” VINs, phone numbers, emails, and even physical addresses are the most targeted data.
Imagine the frustration of being able to see, touch, or even sit in your vehicle, but it remaining functionally useless to you until you pay a ransom to someone whose only connection to you is but some distant cyber-link
What truly strikes fear into everyone involved in automotive connectivity, however, is the possibility someone could control or even weaponize vehicles. It’s hardly surprising, considering current geopolitics, that much of the early “research” in the field is occurring in the midst of the Russia-Ukraine war. In one instance, a fleet of John Deere farm machinery stolen from a Ukrainian dealership — isn’t it wonderful when Putin’s righteous “special military operation” is really nothing more than a scavenger hunt for tractors that Russia can’t engineer itself? — ended up useless and bricked somewhere in the Chechen Republic.
In another, Anonymous — a hacktivist collective that sees itself as a digital Robin Hood — infiltrated Russia’s Yandex Taxi ride-hailing app and ordered “all available taxis” to the Kutuzovsky Prospekt, one of Moscow’s main thoroughfares. The ensuing digitally-created traffic jam was described by one local reporter as just %7B%22provider_name%22:%22Twitter%22,%22provider_url%22:%22https:%5C/%5C/twitter.com%22,%22object_url%22:%22https:%5C/%5C/twitter.com%5C/runews%5C/status%5C/1565319649683804160%22,%22html%22:%22
Nor are such vulnerabilities just figments of an overactive imagination. Sam Curry, the most recent of (white-hat) hackers to expose the porosity of automotive cybersecurity, revealed some “Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More” not too long ago. According to the Yuga Labs security engineer, he could easily unlock, gain access to, and start the engines of a number of Kias, Hyundais, Genesises, Hondas, Infinitis, Nissans, and Acuras (not to mention take over Ferrari customer accounts, retrieve sales documents for any number of BMWs and Rolls-Royces, and send vehicle commands to Porsches).
The truly scary bit of this story, though, is how easy these vulnerabilities were to exploit. It turns out, says Curry, that the vehicle telematics systems of “nearly every automobile manufactured in the last [five] years had nearly identical functionality.” Indeed, as Curry tells it, the only reason he and some fellow hackers got involved in the project was that they just happened to come across a fleet of electric scooters at the University of Maryland and, seemingly on a whim, started poking at the scooter’s mobile app until they had all their horns honking and headlights flashing.
Now, the honking of horns — and if you listen to this video, not very loud horns — is hardly the stuff that made Skyfall a legendary secret-agent flick, but, according to both Curry and Levy, all these automotive cyber-attacks are made so much easier by the same kind of mobile apps that he exploited on those lowly scooters.
And the reason this new generation of software-defined vehicles (SDV) are so vulnerable is that, according to Levy, hackers no longer need to understand a car’s underlying computer architecture to wreak their havoc, as Charlie Miller and Chris Valasek had to in their famed Jeep hack of 2015. Vulnerabilities in authentication, validation, and encryption in the APIs (Application Programming Interfaces) that apps use to communicate with cars are the weaknesses that now allow Curry and his band of merry (white-hat) hackers to wreak havoc on all those luxury auto cars I mentioned earlier.
The New York Times recently recounted the story — Your Car Is Tracking You. Abusive Partners May Be, Too — of an irate divorcee tracked his unsuspecting ex-wife through their C 300 sedan’s “Mercedes me” app. As scary — and off-putting! — as that tale might have been, the far more pressing issue is that it wouldn’t be all that hard for a hacker to track anyone through such a connected services app.
Christine Dowdall’s husband might have had a leg up in that they once shared the car — and, according to the Times, he was a DEA agent — but this is exactly the kind of app that leaves our modern cars vulnerable to these API hacks. Oh, and a word to wise soon-to-be-ex-spouses, make sure both your names are on a car’s title, so you will be allowed to disable future surveillance.
Before I end all this doom and gloom, I should mention that there might be, depending on your ethical rigidity and/or loyalty to an automaker, a few hacks that are actually beneficial. The most useful — but ethically challenging — is that rolling back a car’s odometer is now relative child’s play. What was once difficult enough to warrant a $1,500 cash payment can be had for a hundred bucks, handed over to any smart kid with a new-ish iPad. Ditto for cars hard-wired to only accept specific OEM parts; it would now seem fairly easy to over-ride those protocols to allow the installation of lower-cost aftermarket parts.
And finally, to end on a high note, Ms. Dowdall, unable to get help from Mercedes-Benz in preventing her car tracking her movements — her husband’s was the only name on the title — was able to find an independent mechanic to hack the “Mercedes me” app and disable the remote tracking function.
But that’s about it for good news. Indeed, the one point we haven’t discussed in all this talk of cyber-hacking and ransomware is the penalty for not paying up. According to PaltoAltoNetworks.com, the consequence of non-payment are simple and direct: your name or company name — and all the personal, proprietary, and financially sensitive information that goes along with it — are published on public “leak sites,” not just as fulfillment of a threat, but also the digital equivalent of the old mafioso “sending a message.” It’s probably time we all started listening.
To hear more on this most important of subjects, please register here (for free!) for the last of Driving into the Future’s fifth season of webinars on January 17 at 11:00 AM Eastern. Both Levy and Curry will be joined by Sebastian Fischmeister, a professor of Electrical and Computer Engineering at the University of Waterloo and an expert in cyber supply-chain security for the auto industry.