We need to learn, as an industry, from our mistakes. When these are identified, as part of the SDLC, the oversights should be addressed immediately, based on the criticality of the issue. InfoSec is no different. If there is a vulnerability noted, it should be remediated as soon as possible. This may take a bit of time to resolve and may need to be implemented in the next model year of a product or software release, depending on the circumstances. If the issue is noted and acknowledged by the company and is not resolved within a reasonable amount of time, there is a bigger, more systemic problem to be considered.
Mid-year 2017, there was a compromise published with the Mazda vehicles targeted. The PoC was titled the Bad Valet attack, which exploited the USB port as the attack vector. The targeted models began with the 2014 model year. The exploit worked by the user plugging in a malware-laden USB. The malware involved accessed the Linux OS in the infotainment system, and allowed for modifications. Per Mazda, this was patched.
Along comes 2018 and two new researchers, with a like attack. This also used the USB stick and requires 10 seconds for the USB to be inserted into the port. This malware collects data from the user's smartphone (e.g. text messages, call records, photos, contacts, GPS history, and emails), along with vehicle's geographic location. The malware exploits the autorun option that had been enabled with the infotainment system.
These attacks indicate there are issues with the development team tasked with the OS. The DevOps should incorporate InfoSec. The cost and time savings of SecDevOps have been documented and should be applied.
No comments:
Post a Comment