VIN Cybersecurity Exploits and How to Address Them in 2023
Cybersecurity is no longer the exclusive domain of computers, servers, and handheld devices. As wireless connectivity grows, it makes many daily activities more convenient, but it also means that cars may be vulnerable to cyberattacks.
Connected, Autonomous, Shared and Electric vehicles are starting to dominate the auto market, but they often carry significant cybersecurity risks. Recent research shows how the apps and services that let drivers access their cars’ functions remotely are just as easily accessible to unauthorized parties.
How Cybercriminals Exploit VINs
Security researcher, Sam Curry, described a series of connected car vulnerabilities in a recent blog post. Most pressing among these was the ability to take complete control over some vehicles with just their Vehicle Identification Number (VIN). Curry and his team found mobile apps from Honda, Kia, Infiniti, Nissan, and Acura let them gain full account access by inputting this number.
While these apps typically require an email and password to log in, cybercriminals could use the VIN to bypass this authentication and reset the account. From there, they can access a wide range of sensitive information, including drivers’ names, phone numbers, email and physical addresses.
More concerning, once inside the app, attackers can use it to control many of the vehicle’s functions. They could lock and unlock the doors, start or stop the engine, activate the headlights and access the car’s precise location through its GPS services. On some models, they can change the account settings to lock rightful owners out and transfer ownership of the vehicle.
The U.S. National Highway Traffic Safety Administration (NHTSA) standardized VINs in 1981, and they’ve since become the accepted method for tracking and registering vehicles in the U.S. Consequently, they’re an easy data point to use for registration on these apps, as they’re unique to each vehicle, but they’re also publicly available. Anyone can view a car’s VIN by peering through the windshield, making these vulnerabilities a significant security risk.
How to Address These Vulnerabilities
According to Curry’s post, the vehicle manufacturers in question have since patched these specific vulnerabilities, but they outline some broader issues automakers must address. Here’s how app developers and drivers can minimize similar risks in connected cars.
Require Multi-Factor Authentication
One of the most critical steps to secure connected vehicle APIs is to implement multi-factor authentication (MFA) into vehicle apps. Some apps have no MFA functionality, leaving people vulnerable to attack. Users shouldn’t be able to access and change accounts with a single piece of information like a VIN, which many apps currently allow. Stealing one data point is too easy, so developers must require more than one factor to access cars and their accounts remotely.
App and token-based authentication factors are the industry standard, thanks to their high security, so automakers should prefer these. Tokens are more challenging to exploit than SMS or email-based verification, making them ideal for these high-severity applications.
It’s essential to avoid making MFA optional, too. If users have the choice to disable MFA, many will, because it’s more convenient to do so, but this creates too many vulnerabilities. Given how damaging a vehicle hack can be, MFA should be mandatory by default.
Strengthen Firmware Updates
Automakers and their app developers should revisit their firmware updates. These updates are critical to vehicle security, but many rely on vulnerable over-the-air (OTA) or user-reliant approaches. This can render vehicles useless as drivers wait for updates to install — and some users may ignore updates entirely.
Vehicle app developers should create a notification process to alert drivers when an update is available. They can then schedule the update for a convenient time or take it to the dealership to install it in-person.
It’s also vital to ensure these updates can deliver information and install securely. Connected vehicles must feature authentication protocols to ensure OTA updates come from legitimate sources. Events like the 2020 SolarWinds attack highlight how damaging compromised OTA update systems can be, so deploying authentication controls like certificates and tokenization is crucial if automakers enable user-scheduled OTA updates.
Minimize Information Sharing
Client-side steps are also necessary to minimize VIN exploits and similar attacks. One of the most crucial steps for drivers is to reduce the data they share with other people, apps and businesses.
Ideally, users should an email address separate from their primary or social one for these apps. This will reduce the chances of cybercriminals being able to gain their login information through other sites or phishing attacks. However, this can be difficult in some situations, as providers limit users’ number of addresses. In those cases, advanced spam filters and learning how to spot phishing attempts can help keep users safe.
Similarly, they should avoid posting too much information about their vehicle on social media or other online forms to keep possible authentication details as private as possible.
Strong password management is also important. A third of Americans reuse passwords across multiple sites, leaving them vulnerable to credential stuffing, but drivers should avoid this.
If available, enabling MFA will mitigate the threat of weak passwords, but using unique, complex passcodes in the first place is still a best practice. If an app doesn’t support MFA or complex passwords, users should avoid basing PINs on birthdates, anniversaries, or other numbers with real-life inspirations to minimize the threat of social engineering or credential stuffing.
Cybersecurity Is Imperative for Modern Vehicles
Vehicle connectivity has many advantages, but automakers must ensure their apps are secure before rolling out these features. Without proper security, these APIs may endanger drivers and others on the road.
Automakers may have resolved recently exposed VIN exploits, but this research highlights the importance of ongoing security checks. As new apps emerge and cybercrime evolves, car companies and their developer partners must review their security posture repeatedly to minimize vulnerabilities.
About the Author:
Dylan Berger has several years of experience writing about cybercrime, cybersecurity, and similar topics. He’s passionate about fraud prevention and cybersecurity’s relationship with the supply chain. He’s a prolific blogger and regularly contributes to other tech, cybersecurity, and supply chain blogs across the web.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc