In an effort to help better protect US automobile dealerships, we asked our resident White Hat hacker to come up with hacking strategies to attack a dealership’s network. Not only do dealerships hold valuable vehicle information, but their financing, parts and service departments hold valuable personal identifying information (pii) on their systems.
On 19 February 2019, Toyota Australia became aware of the attempted cyber-attack. Toyota stated their company's network of 279 dealer networks impacted parts supply which delayed servicing at some Australian dealerships. Additionally, a number of Toyota corporate IT systems were affected, to include Toyota email service.
In late March 2019, Toyota confirmed that as many as 3.1 million items of Toyota and Lexus customer data may have been breached following an attack on dealerships in Japan. This the second hack against Toyota. The company publicly said that, "information that may have been leaked this time does not include information on credit cards." This was not very reassuring to Toyota customers who were already worried about security after Toyota Australia was hit by a disruptive cyber-attack in February 2019.
Researchers reported that the Australian attack has been attributed to the Vietnamese cyber-espionage unit known as APT32 or OceanLotus. Some reported that the Australian attack may have been used by APT32 as a stepping stone to access the central Toyota network in Japan, which is believed to be more secure. Cyber researchers indicate that it appears the attackers were able to access the Toyota central network directly through an Australian dealership as a phishing campaign. Do cyber attacks happen in the automobile industry? Yes, they do.
USB - Our resident White Hat hacker was asked what method could be used to hack a dealership. A USB insert was the first attack method that came to mind. An online search of a dealership would produce an appointment to look at a specific model. Once at the dealership and showing an interest is a model, an appointment to speak with the finance director could be requested. Our hacker said, “sitting down with finance manager, I would check out the finance computer and initiate my ruse to get the person out of the office.” Most dealerships have their computers located on or under their desk, usually with the computer back facing the customer.
Ask the manager for a water, coffee or a reason to get the them out of their office. Once gone, plug in a USB Rubber Ducky in the port and then, bingo – you own the system. Let’s say the manager won’t leave his office while you are sitting at the desk. After a financial workup is finished and you walk out to the showroom, use the classic “oops, I forgot something in your office.” Then run back in the office and insert the USB or apply other quick hacking techniques.
Or, imagine you could walk up to any dealership computer (next time at a dealership, check out how many vacant computers are available), plug in a seemingly innocent USB drive, and have it install a backdoor, exfiltrate documents, steal passwords or any number of Pentest type tasks.
MiTM – Conducting a Man-in-The-Middle (MiTM) attack on a dealership’s Wifi network would be advantageous to a hacker. A MiTM attack is when the attacker can broadcast their own Wifi network and track unsuspecting users of connecting to the network. Due to the attacker controlling the network they can re-direct the users to malicious payloads in attempt to gain an initial foothold. Once the attacker has infected an unsuspecting user who was redirected to a malicious payload they can then move laterally through the network –RDP is one very popular abused protocol for lateral movement.
WiFi Pineapple - A WiFi Pineapple is a device by Hak5 used for conducting MiTM attacks. A WiFi Pineapple provides a Graphical User Interface (GUI) and requires little technical knowledge to operate. Due to requiring limited technical knowledge the WiFi Pineapple is the perfect MiTM device for novice hackers. Given the fairly cheap price of WiFi Pineapples, $100-$199, advanced adversaries may also use them for the convenience and disposability due to cheap cost.
Plan B Method - Pretend to be an out-of-state buyer of a vehicle with stolen pii information. This information is easily obtained in the underground or varying e-commerce prices. Being hungry for a sale, personnel will ask for a driver’s license number, SSN, and other sensitive data (name, address, DOB, etc…). Then send the salesperson an infected PDF with "information" to backdoor the sales representative, a business development center rep, the finance manager, and/or whoever else is involved in the dealership sales process. The infected PDF could contain a: keylogger, PDF exploit delivering shellcode to older vulnerable versions of Adobe Reader, Word/Excel/Powerpoint exploit delivering shellcode to older vulnerable versions of Microsoft Office, Remote Access Trojan (RAT), cryptocurrency miner, or a variety of malware beneficial to a hacker.
Insider Attack Method - Apply for a job at the targeted dealership. A hacker could send a virus in the application process or proceed with getting hired legitimately. Getting hired will provide you with access to the network at almost any dealership position level. Once comfortable with their systems, conduct an “inside job” utilizing any above methods to hack the network.
Taking a slow, measured attack approach that persists for months, will quash any suspicion. A spoofed email from the CEO or general manager to ask for access or pii information. This works amazingly well at car dealerships, since many never check the email headers. Since its inside the network, a spam filter has no affect. Next to phishing attacks from outside a network, insider threats are the next most common causes for cyber-attacks.
Can dealership be hacked? Yes. Will they continue to be hacked? Yes, as dealerships are a treasure trove of proprietary and financial information to bad guys. But with sound basic cyber security applications in hardware and software, and proper employee training, most hacks can be averted.
For more information of this matter and for assistance in prevention methods, please feel free to contact Wapack Labs @ firstname.lastname@example.org or 1-844-492-7225. Wapack Labs is located in New Boston, NH. We are a Cyber Threat Analysis and Intelligence organization.