Auto dealers are prime targets for hackers, warn researchers
Car dealerships are prime targets for hackers eager to exploit weak security and access a treasure trove of financial data and gain access to third-party vendor supply chains.
According to Tuesday report posted to AT&T Cybersecurity’s blog, cybercriminals are zeroing in on car dealerships considering them easy targets for a cyberattack. Attack vectors include, “outdated IT infrastructure and lacks sufficient processes in terms of protecting employee login details,” according the report.
Adding to the mix of security issues is the increasingly sophisticated number of computer-based diagnostic tools used in auto repair bays and computer systems in car dealer back offices. That has adversaries revving their hacker engines ready to attack, said Theresa Lanowitz, head of cybersecurity evangelism at AT&T Business.
“Employees in a car dealership may have lax security hygiene which means it’s even easier for adversaries to launch attacks. And car dealerships have repair bays with internet connected devices. These devices, if breached, also offer an adversary a way into the network to potentially execute nefarious activities,” Lanowitz said.
Those attack surface weak spots are low-hanging fruit for attackers to easily plant malware, eavesdrop on insecure Wi-Fi connections or exploit poor password hygiene.
No such thing as cybersecurity airbags
The danger is not theoretical for dealerships or vendors connected to dealerships who could also be put at greater risk. In a separate report out this week, researcher Eaton Zveare detailed a severe vulnerability he found in the web portal of Toyota’s global supplier management network.
“I hacked Toyota’s Global Supplier Preparation Information Management System,” Zveare wrote.” The system in question is “a web app used by Toyota employees and their suppliers to coordinate projects, parts, surveys, purchases, and other tasks related to the global Toyota supply chain.”
The research, conducted in 2022 and disclosed this week, allowed the researcher to access 14,000 corporate user accounts and confidential documents. The issue was responsibly disclosed to Toyota and the security hole was mitigated immediately.
