Car recalls and sabotage attacks against MES systems

No doubt you had heard about Chrysler’s recall of affected cars as it appeared in all the top media. You’ll be even more surprised if you see how many recalls happened because of technical issues in recent months. But there is something that we may miss beyond the headlines, some important potential sabotage vectors may happen or are even happening now to increase these statistics. While it looks like a script for a new episode of Mr. Robot, I think this is much more realistic that you may expect. Let’s first look at the current situation.

When I started collecting information of vehicle recalls I expected to see a couple of examples in total, but I have found a dozen for last months alone! Major recalls happened this summer include more than 50 millions cars and it’s parts from companies such as Takata Corp, Ford, Honda, GM, Nissan, Subaru, Toyota ,Ferrari and even Harley-Davidson.

Vehicle recalls are probably the most popular recalls in the manufacturing industry dating back to a long time. One of the first examples of the took place in 1969 when rubber parts in V-8-powered General Motors engine mounts would give out, causing the engine to come free, twist upward and pull open the throttle, resulting in rapid acceleration. It would often disable brake assistance, making it harder to stop the car. By 1971, 172 cases of engine-mount failure had been reported, leading to dire consequences (63 accidents and 18 injuries).

If you look at the 12 largest auto recalls in the history totally affecting nearly 100 million of vehicles, you find out some other major reasons. The first place belongs to GM who issues issued 71 separate recalls in 2014 covering 26.5 million vehicles. The most popular recalls happen because of airbag issues, faulty seatbelt buckle, stone-guard assembly issues, and bolt failures.

What we can learn from those recalls

It’s absolutely clear that software bugs and errors in the manufacturing process are the major reasons for recalls. To make the long story short, if this can happen by mistake and nobody detects it, somebody, be it competitor committing a sabotage attack or an anonymous group of hackers driven by ideological motives, may use this flaw with malicious intent.

Traditionally, manufacturing, planning and designing processes are managed in enterprise business applications such as MES, PLM, or CAD systems. For successful attack on company, a cybercriminal needs to get access to these applications and make some minor changes in the following systems: in CAD during construction side, in PLM system during product lifecycle management configurations or directly in the MES system during manufacturing. The level of MES and PLM integration and automation provides opportunities for attackers to easily implement some modifications into those highly connected systems. Siemens (one of the largest vendors providing solutions for automotive industry) tells that “PLM-MES integration allows you to continuously respond to shifting demands by distributing your latest product designs and assembly methods to a more connected, more efficient and more effective production value chain, assuring complete visibility between your production and engineering domains”. So, nowadays production and engineering fields are not something isolated, they are connected to corporate network vulnerable to traditional malware and attacks.

The story of Stuxnet has shown, that these attacks on some technology modules are real and have already been executed against SCADA systems and PLCs. Technically for hackers there is not a big difference in this attack and gaining access to those systems. Moreover, security of these systems is even weaker than security of SCADA/PLC systems. As SCADA systems, companies started implementing SDL and at least somehow monitoring security of those devices using some vulnerability management and event management solutions. But in enterprises nobody takes care about MES/PLM security responsibly. We should not forget that those systems are traditionally connected with other applications such as ERP, where is also a large number of vulnerabilities, according to “SAP Security in Figures” report. So, finally, getting unauthorized access to PLM or MES is a quite easy process for hackers.

As for the potential attack vectors against automotive institutions, here is a simple example. What will happen if somebody changes the pressure of wheel bolt in PLM system during product lifecycle management configurations or directly in the MES system during manufacturing? Of course, there may be many additional checks to identify this problem during car usage, but in some cases this really may lead to car accident when you ride 120 mph on the highway and the wheel falls off. It was just the first idea, but I found the real example of the recall because of suspension bolt failure which affected almost 6 million Buick cars in 1981. Suspension bolt failure has much in common with this simple idea. “If any part of the rear suspension fails at speed, the probability of passenger drama is high. With this in mind, GM agreed to replace rear-control-arm bolts on a number of models in the early 1980s, when reports surfaced that the bolts could fracture or loosen, leading to a loss of control.” A real attacker may conduct something more critical and less visible, such as bugs in airbags that prevent their Inflation in some situations. Not every time, because it will be able to identify during a crash test, but it may occur randomly. These types of attacks are not only subject to car recalls but also can lead to human injuries, which can destroy the reputation of a victim company.

Read more: What is a Hack?

As a conclusion, I hope that you got my point and if it still doesn’t look very realistic, remember any of public incidents seemed unrealizable before, I think in current situation we have to accept the idea what everything can happen. A year ago a remote attack on car seemed something impossible, and 3 years ago no one could imagine a local attack on car, so it's just a question of time. But the fact is that no one knows whether such attacks have been performed already or even one of these vehicle recalls was a consequence of a competitors’ attack.

Blast from the past?

Try our new Space Invadors inspired video game NOW

Whats your highest score ?

Read more: How to hack a drone

Join the CSO newsletter!

Error: Please check your email address.

Tags Car recallsMES systemsnissanManufacturingHondaTakata CorpFerrariFordSubaruhackingToyotaGM

More about SDLSiemensSubaru

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Alexander Polyakov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place