December 27, 2014 — Much of the auto industry’s discussion regarding cyber warfare focuses on the inherent vulnerabilities of the connected vehicle. But one area that receives little scrutiny is the retail side of the automotive industry. This will soon change as dealerships likely will become one of the central battlefields in the cyber wars that will be waged in the near future.

In general, cyber attacks on businesses are becoming more common and, for the most part, are designed to steal customer data. The well-publicized attacks this year on companies such as Target and Home Depot fall into that category. The attacks hurt the bottom line and the share price, and even resulted in people losing their jobs, but both companies survived.

Much of the automotive retail industry’s attention is on protecting customer data as well it should be. In fact, Congress has tasked the Federal Trade Commission with regulating data security and consumer privacy practically guaranteeing data security is going to be one of the top issues facing dealers the next several years.

THE TREND TOWARD MORE DESTRUCTIVE ATTACKS

But the industry needs to expand its perspective beyond just protecting customer data and instead take the steps necessary to protect their businesses from possible destruction.

What’s troubling is that the recent attacks on Sony Pictures and another one earlier this year against the world’s largest casino company Las Vegas Sands Corp., were much more destructive in nature and weren’t focused on stealing consumer information. Both attacks apparently were waged by foreign countries bent on revenge and sought to exact significant damage on Sands and Sony.

Analysts are expressing concern that the trend will be toward cyber attacks increasingly focused more on destruction of businesses as opposed to “merely” stealing customer data.

Details about the attack on the Sands Corp. — which owns the Venetian and the Palazzo casinos in Las Vegas — only recently came to light in a fascinating account in a Bloomberg BusinessWeek article. Iran, angry with comments made by Sands majority owner and CEO Sheldon Adelson at a conference in New York about the future existence of the Jewish people, launched the devastating attack on the casino company. During the February attack as IT systems began going offline, Sands’ IT employees raced through both the Venetian and the Palazzo unplugging every computer connected to their network, including ones on the casino floors. Entire hard drives were wiped clean while phones and email stopped working.

According to the story, which I recommend reading, nearly 75% of Sands’ computer servers were destroyed. The company is still determining the total damage, but early estimates are pegging it at approximately $40 million.

DEALERSHIP VULNERABILITY

It’s no secret in the automotive retail world that dealers are vulnerable to attacks. One scenario is direct attacks against their businesses while a second involves the possibility that hackers could target dealerships to gain access to entire networks of connected vehicles or even their manufacturers.

Stories of dealerships being victim to cyber attacks are few, but there are many more that have not been reported, according to security and computer network experts in the industry. The truth is, the stories are more common — and even more disconcerting than the industry lets on. (Read more at Industry Data Practices Leave Dealers Legally Exposed).

Dealerships perhaps are most vulnerable now in the area of data security. Our research has shown that there is a “black market” in the automotive retail space for customer data that is extracted from the DMS (dealer management system)  — in some cases, by dealership employees, and in others, by vendors. The data then is sold to firms that cleanse and dedupe it. Those firms then resell the data to marketing agencies, data brokers and others who can claim ignorance for how the data is obtained.

Rogue employees selling customer data or unethical vendors rooting through a DMS is cyber theft and not necessarily hacking. In many ways, that’s a scenario many dealers think they can live with, as long as no enterprising consumer attorneys attempt to hold the dealership responsible. The challenge now is the FTC has a renewed and energized focus on making sure consumer data is protected. (More on this below).

Other problematic scenarios involve cases in which hackers can do real damage to a dealership.

Examples of Dealerships Being Hacked

A situation from nearly five years ago that involved Texas Auto Centers, a group of used car dealerships in Austin, TX, shows how simple it is to gain access to and control vehicles using a dealership’s computer system.

A former employee who had been laid off by the dealership used a former colleague’s password to access the dealership’s system. From there, he wreaked havoc with vehicles that had been sold with a black box provided by Web Tech Plus designed to let customers know when they were behind on their car payments. The technology remotely causes horns to begin honking or disables the vehicle’s ignition system as a way to prod customers to make their payments.

The disgruntled former employee was able to remotely play with the horns and ignition systems on the vehicles of hundreds of customers. The dealership caught on when several customers called to complain. Austin police were able to determine the culprit by accessing the log in records and tracing it to the former employee’s address.

Meanwhile, a Ford Chrysler Dodge Jeep dealership in Abilene, KS three years ago was hacked when an outsider logged into its bank account and wired $63,000 into nine fictional employee accounts he had created. By the time the owner discovered the crime, much of the money had been wired to offshore accounts.

More recently, DealerTrack executives shared details during an interview at the NADA convention this past year of how one dealer group on the DealerTrack DMS had endured a cyber attack that lasted for more than one day in which hackers tried to gain access more than 20,000 times. DealerTrack’s IT people thwarted the attack so well, the dealership’s management team didn’t learn of it until DealerTrack informed them. It was just one example of many, according to the executives.

In another case, a dealership found itself locked out of its own DMS recently. Hackers in the Middle East gained access to the system and changed the passwords holding the DMS for ransom. The dealership had no choice but to pay the perpetrators. This type of attack potentially will become a popular method with hackers. And dealerships likely will be attractive targets.

The challenge facing the automotive retail industry is that the security efforts of many dealerships, aside from the high level of security their DMS vendors provide, are inadequate.

Managing network security is not easy at the dealership level. High employee turnover coupled with an average of 17 different vendors per dealership (according to NADA) — all with a separate log in entry point — make the “simple” task of even handling passwords a lost cause.

Unfortunately, passwords are how most hackers gain access to network systems. And often, it’s not a password that provide direct access to a network but a password of a vendor or ancillary company that a hacker can use to exploit an unknown loophole to gain access. An important detail is how the hackers gained access to the central servers in Las Vegas by first targeting the Sands’ casino in Bethlehem, PA, to overwhelm its security system and ultimately found and used a password of an IT manager from Vegas who had been in Bethlehem doing some work. Meanwhile, hackers gained access to Target’s data using a heating and cooling vendor’s password that had access to its system.

This raises the question of whether hackers could use access to a dealership’s network to gain entry into into either a connected vehicle network or possibly into a manufacturer’s system.

CONNECTED VEHICLES

Security experts over the last few years have begun to sound the alarm in the automotive industry about the potential dangers as the connected vehicle becomes the standard. As vehicles increasingly become the “web browsers on wheels” that former Sun Microsystems CEO Scott McNealy predicted in 2001 at a telematics conference in Detroit, potential access points for hackers are growing. Bluetooth devices, telematics and entertainment systems which have access to the Controller Area Network (CAN — the in-vehicle “router” that manages the flow of data among the Electronic Control Units) are standard today.

The industry is debating about how easy it is for hackers to gain control of a vehicle. Including the situation we mentioned earlier with Texas Auto Centers, the evidence seems to indicate that while difficult, it’s not impossible. (An interesting side note involves speculation within the intelligence community that someone hacked into the Mercedes Benz controversial journalist Michael Hastings was driving, causing the one car accident that killed him in June 2013. At the time, he had been working on a profile of CIA Director John Brennan for Rolling Stone Magazine.)

Researchers from the University of California, San Diego and the University of Washington were able to upload a virus to numerous vehicles using a dealership’s service diagnostic tool. The paper they published in 2011, Comprehensive Experimental Analyses of Automotive Attack Surfaces, recounts how they were able to turn on the brakes, disable the engine and even listen to conversations in the vehicle. 

And then, there are the infamous YouTube videos from a year ago in which Chris Valasek, Director of Vehicle Security Research for IOActive, and colleague Charlie Miller demonstrated how they could control certain aspects of the vehicle when they hacked into a Toyota Prius and Ford Escape. Although, they did not hack into the vehicles remotely, the purpose was to show how hackers could control vehicles. Other researchers from China and Israel have demonstrated the ability to hack into vehicles remotely.

Part of the debate is whether hackers could hack into an entire network of vehicles and what would the motivation be even if they could. As we’ve argued above with the recent Sony and Sands Casino attacks, revenge or corporate vandalism are motivation enough.

The industry is trying to get ahead of any potential problems, although, numerous experts admit the automotive space has a lot of work to do. The National Highway Traffic Safety Administration along with several automakers recently announced the creation of a Sharing Advisory Center to collect cyber threats and share them with the industry. It will take approximately 18 months before the Center is fully online.

Dealerships as an entry point

But dealerships aren’t included in the Center even though experts often mention them as being a means of entry for hackers gaining access to vehicle networks. One of the most commonly mentioned access points is the service repair diagnostic tools dealerships use in their service departments. Last summer during the SAE 2014 World Congress panel “Connected Car and Cyber Security,” Andre Weimerskirch, associate scientist at the University of Michigan Transportation Research Institute speculated that a vehicle in which a hacker had placed malware or computer virus, once connected to a diagnostic tool, could pass that virus to other vehicles that are later connected to the same tool.

(Some analysts have said they believe using a diagnostic tool to gain access isn’t a realistic scenario because of the difficulty hackers would have at getting to a diagnostic tool. We beg to differ. A few years ago, when independent shops were trying to force automakers to make their diagnostic data available, a luxury dealer in Long Island provided vehicles to an individual who would bring into the US on work visas, about half a dozen Chinese individuals who would live and work in a warehouse reverse engineering the vehicle’s computer networks. They would beam the data using a satellite back to their company in China where it would be reversed engineer to create diagnostic tools that would then be sold on the “black market” here in the U.S. to independent shops.)

Another potential vulnerability are the telematics systems such as General Motors On Star. XTime (recently acquired by Cox Automotive), a company that is known for its online service scheduling tool is also working with numerous automakers to use the telematics system to develop ways to connect vehicles to dealerships. At some point in the near future, a vehicle’s on board diagnostic software will detect the vehicle needs an oil change, communicate with the dealership’s online scheduling software to see which times are available and offer to set an appointment for the customer.

XTime has sponsored and participated in several of the industry’s “Connected Car” conferences the last couple of years and executives say they are involved in the conversations surrounding security.

Is it unfeasible for a hacker using either the telematics system or Bluetooth to download a virus to a vehicle that then gets passed to a dealership’s DMS which then infects the dealership’s manufacturer network? As systems and software communicate more in the Cloud, these types of scenarios potentially become more realistic.

INDUSTRY FOCUS

The inconvenient truth is, in many areas, the automotive retail space isn’t even up to speed on basic data protection practices, let alone protecting itself against sophisticated foreign hackers.

With nearly 18,000 new car dealerships and more than 1,000 vendors that service those dealerships, data security is becoming an increasingly bigger issue for the industry. Dealers and vendors need to begin building within their own organizations a culture and mindset in which data security is a top priority.

Education

It’s a fragmented industry with thousands of players. One challenge is educating dealerships and others of the importance of being compliant with laws such as the Gramm-Leach-Bliley (GLB) Act’s Safeguards Rule and Privacy Rules that govern data protection.

The FTC is paying attention with renewed interest. We know of at least one dealership the FTC has taken action against for failure to protect its customer data. The FTC also charged the dealership with deceptive advertising because its practices were not consistent with its published data protection policy. Last year, NADA published a 14 page memo (can be downloaded here) that outlines the processes dealerships need to put in place to be compliant. NADA continues to update the memo as the FTC adds clarification or takes action against companies that aren’t compliant.

The FTC is watching and the industry can expect significantly more adverse actions in the near future.

Reynolds and Reynolds and CDK Global (formerly ADP Dealer Services) have been sounding the alarm for years. It’s true that some of their practices are controversial. It’s a conversation — or battle — that’s been going on for nearly a decade now. Reynolds and/or CDK close access to other third party vendors in the name of security and then charging those vendors with what some claim are extortion-like prices to be certified and regain access to the DMS.

Whether one agrees with the certification process (or prices) the truth is, Reynolds and CDK are not wrong in trying to limit vendor access. According to FTC interpretation, the mere fact a vendor has access is constitutes sharing of data. It’s a legally dangerous world in which the dealership and DMS vendor live today. Too many vendors have unfettered access..

(Both CDK and Reynolds — as does every other DMS vendor in the space — have their own challenges when it comes to data protection and in some ways, enjoy a scenario in which the “fox is guarding the hen house.” Nevetheless, their warnings should not go unheeded).

Reynolds and Reynolds has published white papers on ways dealerships can enhance their security. Meanwhile, CDK last year held several sessions in various markets with clients walking them through the processes they need to have in their dealerships to make sure they are protected.

J&L Marketing is another company that began conducting webinars last year along with workshops at various industry conferences, including the NADA convention, on the importance of data protection. Company executives correctly realized that lax procedures at dealerships also makes them as a vendor, legally vulnerable.

Large dealer groups are getting the message. Group 1 Automotive has held numerous meetings this year with other large groups in an attempt to create a standard contract providing strict guidelines for how vendors can collect and use data they extract from the DMS.

Data Security Vendors

Meanwhile, several dealer groups have signed on this year with a company called DealerVault, that was started a few years ago by Steve Cottrell who also owns Authenticom, a data extraction firm. DealerVault is interesting because it provides the dealer with control over which vendors access their DMS and restricts the data they collect to only the data they need. The company does have some business challenges — such as getting vendors to agree to play ball, but as more dealers sign on and insist their vendors participate, that issue goes away. The DMs vendors also are a challenge because DealerVault potentially is taking revenue out of their pockets. But DealerVault has been able to create “work around” solutions where necessary.

Another vendor that’s entered the data security space this year is Simpler (website is Simpler.io). The firm claims it can solve the issue of password management. It’s a simple concept — no pun intended. As dealerships have an average of 17 different vendors — all with their own separate entrance gateways with separate log ins and passwords — password management is an overwhelming and complicated task. There are dealer groups that use anywhere from 50 to 60 different vendors. Multiply that by the number of employees (hundreds in some cases) each with a separate user name and password, and suddenly, the dealer group is trying to manage thousands of passwords.

Simpler creates one log in entry point for the dealership eliminating the need for employees to open and log into each vendor’s gateway. The employee logs in one time and has permission-based access to the appropriate vendor solutions.

Over the next year or two, it’s probable that we’ll see more start ups focusing on providing solutions to help dealerships protect themselves.

(TBR is not endorsing the above companies, nor does it have any beneficial arrangement — financial or otherwise with those vendors. The companies do provide unique solutions to pressing issues facing the industry today, however.) 

THE FUTURE

As we look at and analyze the industry, we believe data security is becoming one of the most challenging and important issues for dealers and vendors. Increased vigilance from the FTC; the growing number of access points at the dealership level; the vast amounts of consumer data dealerships manage each day and the fact they sit at the center of much of what happens in the automotive space means dealerships are going to be attractive targets for hackers.

It’s inevitable. And it’s time the industry turbo charges its efforts to make sure it can defend itself in what’s going to be — and already is — a daily battle.