Today's cars have come a long way from pure machines run by gears and engines. They've evolved into a platform for computer systems on wheels, with more lines of code than you'd ever imagine - over 100 million, running on anywhere from 50-100+ independent processors called electronic control units (ECUs). To put it in perspective, the new Ford F-150 Lightning runs on a whopping 150 million lines of code, while the Boeing 787 Dreamliner passenger airplane, in comparison, relies on about six and a half million lines of code. This code enables cars to do everything, from helping keep you in your lane while driving to connecting with your phones and playing your favorite tunes.

There’s a running joke in the industry that the only reason cars have wheels is to keep their computers from dragging on the highway. Not only that but any American vehicle from 1996 and European one from 2001 is mandated to have a standardized connector (OBD/EOBD) to the local vehicle computer network (CAN bus). Further, vehicle manufacturers began introducing embedded LTE connectivity as far back as 2014, enabling them to collect performance data and expose remote controls, like locking/unlocking, remote start, etc.

But here's the catch – with so much code, there's a greater chance of it leaking, and that's a serious problem.

If you were in a software company and you accidentally exposed your API key for something like AWS, people could get into and exploit your important AWS resources. That's not good, but when it happens in a car, it's way more serious. Imagine you're zooming along at 70 miles an hour, and someone gains control of the car remotely. It's no longer just about losing data. Now we’re talking about risk to the lives of you, everyone in your car and everyone in the cars around you. This highlights the fact that cars have become an asset that could be vulnerable to bad actors both in-person and remotely.

The rise of the software-defined vehicle (SDV)

The software-defined vehicle (SDV) market is expected to grow in the coming years—from a $43 billion market size in 2023 to as much as $150 billion by 2030.

With Tesla leading the charge, automotive companies are evolving into complex software-first entities with more reliance on software applications for their everyday functions. Ford's recent release of their electric vehicle (EV) versions - the F-150 Lightning and Mustang Mach-E SUV- is a testament to this shift. However, it's crucial to note that while the technology is getting cutting-edge, the industry's cybersecurity practices still need to catch up. This juxtaposition of advanced technology with outdated security measures creates an alarming situation for consumers, original equipment manufacturers (OEMs), and the entire supply chain.

Remember that it's not enough to have a dazzling infotainment system or a seamless navigation experience; the underlying security must be equally robust. Take in-vehicle infotainment (IVI) systems, for instance. They typically operate on embedded Linux, storing the owner's personally identifying information (PII). Plus, they're more often than not linked to vital subsystems like the engine, brakes, and sensors, which, in conjunction with the embedded LTE connection, create a broad, always-connected attack surface. This means if hackers target the infotainment, they could potentially access sensitive data and even control essential vehicle systems. So, robust security here is a must.

The hard truth about code leaks and breaches involving secrets

There is a vast amount of code running through modern vehicles today. This code is the vehicle's lifeblood, controlling everything from headlights to engine systems, and if leaked, this code can unlock a Pandora's box of concerns.

One of the most pressing concerns lies in the leakage of hardcoded credentials. With legacy attacks on automotive systems, the bad actors have to work to find and exploit vulnerabilities to gain access. Hardcoded secrets, on the other hand, can be exploited, with little to no effort, to infiltrate internal systems, potentially resulting in breaches of customer data, theft of intellectual property like source code, manipulation of company-wide systems, and even unauthorized access to mobile apps for controlling vehicles.

This is the difference between a robber having to break your door down vs. you leaving the keys to your front door in the lock. It underscores the critical need for automotive companies to secure their credentials effectively.

Imagine all the data your car collects about you, including personally identifying information (PII), billing information, your everyday movements, etc. Manufacturers maintain vast data lakes containing a trove of information on consumer behavior. Every action, how you drive, where you go, every time you turn on the radio, park, or signal left or right, is logged and returned to the manufacturer. This wealth of data is invaluable for improving products and user experiences.

However, it also poses a significant security risk. Any breach in these data lakes could expose not only individual drivers but an entire user base and every piece of data collected by that particular vendor, making the integrity of the code paramount. Car companies are subject to various data protection regulations such as GDPR and the California Consumer Privacy Act (CCPA). Breaches can result in customer identity theft, financial fraud, and large regulatory fines (up to 4% of annual global revenue for GDPR). Still, in today's world, data breaches are all too common, and safeguarding this information is not just about privacy regulations but about keeping you, your customer, and your car secure.

Headline-making breaches involving Daimler, Nissan, Toyota, and others have exposed the pressing need for an improved secrets management posture. In the breach disclosed by Nissan, a third-party service provider tasked with developing and testing software solutions for Nissan inadvertently exposed customer data due to a misconfigured database.

Nearly 18,000 customers were affected, with exposed information including full names, dates of birth, and Nissan Motor Acceptance Company (NMAC) account numbers. Thankfully, sensitive details like credit card numbers and Social Security information were not compromised. While Nissan has not found evidence of misuse, they had to take steps by offering affected customers identity protection services.

This isn't the first time Nissan has faced such a situation. In January 2021, they experienced a similar incident when a Git server with default access credentials was left exposed online. This led to the inadvertent exposure of 20 GB of sensitive data, including source code, market research, and client acquisition information.

Toyota faced a comparable data breach in October 2022, where a credential granting access to customer data was accidentally exposed in a public GitHub repository for nearly five years. Although Toyota has invalidated the key, the extended exposure raises concerns about potential unauthorized access by multiple parties. This shows public Git repositories pose a significant risk, as code intended for private use can inadvertently end up in publicly accessible repositories, bypassing organizational security controls.

And these are just a handful of examples of publicly shared incidents.

So it is crucial to check for hardcoded credentials everywhere. We at GitGuardian call “secrets sprawl” the unwanted distribution of secrets in all the systems developers use. Secrets sprawl is even more difficult to control with growing development teams and repositories, sometimes spread over multiple geographies. Tools like ggshield, the GitGuardian CLI play a vital role in consistently identifying and mitigating these security risks. GitGuardian Public Monitoring product further reinforces this effort by continuously scanning developer activity on public GitHub, alerting organizations to any potential secrets or credentials leaks.

There was another recent incident where a security researcher discovered GitHub admin credentials due to a misconfiguration, potentially exposing sensitive data from a car company. But in this case, this particular car company had set up a bug bounty program, which encourages ethical hackers to identify and report vulnerabilities responsibly. The researcher, Corben Leo, utilized a series of techniques, including brute force attacks and manipulating host headers to exploit misconfigurations in the system.

By gaining access to certain endpoints, he was able to expose plaintext credentials, eventually leading him to a private GitHub repository admin. This admin had extensive access to over 30 GitHub organizations and hundreds of repositories. The implications of this discovery are significant - had an unethical hacker found this misconfiguration, the car company could have faced a major data breach. Early testing and automated scans, such as those offered by GitGuardian Infra as Code Security, are crucial in preventing such misconfigurations from reaching production environments.

These incidents highlight the urgency for automotive companies to establish robust application security measures. A collective endeavor involving the entire supply chain, coupled with a forward-thinking stance on cybersecurity, is crucial. This approach will safeguard customer privacy, uphold trust, and guarantee the safe functioning of these connected vehicles.

The Telematics server is a vulnerable entry point

In the increasingly connected world, vehicles utilize backend telematics and command & control (C&C) servers which receive data from the vehicle but also send remote commands, such as unlocking doors or starting and stopping the engine. Sadly, this crucial connecting point to the outside world is often not as well guarded as it should be, leaving vehicles open to unauthorized control. If this system gets breached, the consequences can be devastating.

Imagine not being able to access your own car or suddenly having the horn blare and side mirrors fold on their own, as this victim demonstrates. Even worse, an attacker could potentially stop the car or take control of the steering wheel, putting lives at risk. In fact, it could put tens of thousands of cars at risk of being hacked. The attacker could locate, identify, unlock, start, or even set off the alarm in these cars. Imagine what a vehicular denial of service would look like across the entire FedEx or UPS fleet! This highlights the urgent need to bolster the security of your secrets inside Android and iOS mobile applications as well as C&C infrastructure.

“One of the biggest risks for autonomous vehicles is somebody achieving a fleet-wide hack,” Elon Musk.

The supply chain dilemma

At the Black Hat USA 2023 conference, a group of German researchers revealed a significant vulnerability in Tesla's latest models’ media control unit (MCU). This flaw allowed them to "jailbreak" the infotainment system, granting unauthorized access to premium features like seat heating and 'Acceleration Boost' without payment. The researchers also successfully extracted a crucial RSA key used in Tesla's car authentication process. This key is essential for secure communication within Tesla's service network.

This incident is a stark example of the broader challenge of securing automotive software. In modern vehicles, a significant portion of the software (approximately 85%) consists of open-source code and components sourced from upstream vendors. For instance, in the case of Tesla's MCU, the chip itself is supplied by a well-known vendor, which provides the associated firmware. This chip, while tailored for automotive use, might share its underlying technology with consumer electronics like iPads or MacBooks, packaged in a purpose-built form factor.

However, this also means that any vulnerabilities in this common chip, especially in its firmware, can potentially affect not just Tesla but a range of other automakers using the same component. This highlights the intricate web of interdependencies within the automotive supply chain. If a vulnerability exists in a component, it has the potential to impact multiple car models across different manufacturers. In such cases, it's not a matter of a specific automaker doing something wrong but rather an issue originating from a component supplier or the associated firmware.

When a manufacturer assembles a telematics or infotainment unit that incorporates wireless communication capabilities (such as Wi-Fi, Bluetooth, or cellular connectivity), they're required to submit a Federal Communications Commission (FCC) report. This report details the components used, allowing anyone with access to it to identify the specific chips employed. Armed with this information, it's possible for attackers to trace back to the creators of the chip and its firmware. If there are any weaknesses or vulnerabilities in this firmware, it can have cascading effects.

In essence, it's not just the automakers themselves embedding hardcoded credentials in the vehicles but also the various entities within the supply chain. All these components may have their own software, which can contain embedded secrets and potentially lack robust secrets security measures. This underscores the importance of scrutinizing every link in the chain for potential secrets incidents.

The high stakes of secrets security

You might have heard about the "right to repair" movement. For years, this debate has raged over who controls the data generated by your car. Recently, major automakers and repair shop organizations took a step forward, committing to give independent repair shops access to essential data and tools. However, one crucial aspect is data security. The push for the right to repair would grant consumers and repair shops access to vital vehicle data. This underscores the importance of safeguarding these critical software-defined components from exposing their sensitive code and user information. That's where secrets detection comes in. It ensures that even with this increased access, critical information stays safe.

Let's talk about updates. Do you know how your phone gets updates to fix bugs and add new features? Well, cars get them, too, but they're sent through the Over-The-Air (OTA) process. This technology empowers automakers to continually refine and enhance a vehicle's performance, rectify issues, and introduce new features without the need for a visit to the dealership. Manufacturers save on costly recalls, but this also inadvertently creates a potential entry point for attackers. Attackers can intercept, dissect, and manipulate these updates, uncovering hidden features, functions, and sensitive information like “ hardcoded secrets” within them, ultimately leading to ransomware attacks.

To ensure automotive applications are secure, it's crucial to integrate security measures right from the start of the development process. This involves identifying and fixing security incidents related to secrets early on rather than dealing with them in later stages. While educating developers not to hardcode secrets is important, it's not always practical or foolproof. Code reviews, though helpful, can sometimes miss these issues and can be time-consuming.

That's where GitGuardian comes in. Our enterprise-grade platform is designed to offer precise, comprehensive, and user-friendly secrets detection and remediation seamlessly integrated into your DevOps workflows. This way, you won't have to worry about maintaining or updating the solution. Whether in the automotive industry or any other, relying on such a platform benefits both manufacturers and their customers.

Before we wrap up

Want to stem supply chain security risks in your automobiles? Dive into our State of Secrets Sprawl 2023 report to understand the risks, or simply request a complimentary secrets exposure audit (delivered directly to your inbox, no sales call required).