Time to panic


Sean Thomas is the lead solutions architect focusing on cyber security at A&R Solutions.

Sean Thomas
Computer Security Columnist

There is no way to predict with absolute certainty what the future of cyber security might bring. Could you have ever imagined something like Facebook would exist 12 years ago?  What about Google? Only 18 years ago, it was literally in someone’s garage.

That said, the past five years have given us a good idea of what is to come.

Why do cyber security threats matter to your dealership? Simple, Cyber criminals are primarily targeting small to medium-size businesses, especially businesses with smaller IT budgets.

What makes dealerships especially vulnerable are things like the frequency of wire/bank transfers, expensive inventory, out-dated technology and high turnover.

This shouldn’t be news to you. If you haven’t already been a victim of ransomware, you probably know at least one dealer who has. It’s the evolution of this ransomware that is scary.

Weak Points
Think of all the points at your dealership that are connected to the Internet or your internal network: computers; smartphones; desk phones; photocopiers; etc. Right? Almost.

Did you forget your DMS?  Key management system?  Wi-Fi?  Security cameras?  Access control?  HVAC?  Vehicles in your service department?  And that’s just to name a few.  Can you imagine how much more will be connected in just a few years from now?

Anything connected, directly or indirectly, is vulnerable to hackers.  Don’t believe me? Try reading the Wired.com article (subsequently covered in a previous issue of Canadian AutoWorld) on how hackers remotely took control of a Jeep Cherokee as it drove down I-64 at 70 mph.

Did I mention those same hackers did something similar to a Ford Escape and a Toyota Prius? Thankfully, in all cases the OEMs were able to patch the flaw in the vehicles before anything serious happened.

While that might fill your service department with warranty work, it’s just an example of how no matter how much money your throw at it, IT-security backdoors exist.

The Nightmare Scenario
Here’s another example of how this type of flaw could seriously affect your dealership.

A hacker sends a targeted email to your sales department. It looks like it was coming from you the dealer principal. The email address is the same. The signature matches. The email by all accounts is legitimate.

Let’s now assume nine out of 10 sales personnel delete the email knowing it’s not actually from you. What about that new salesperson who wasn’t sure and opened it?

Nothing appears to happen. They delete the email and go on with their day. Little does anyone know but that hacker now has a backdoor into your internal network.

They wait until the dealership is closed for the weekend and start their attack. They penetrate your service department and “adjust” how vehicles are programmed, giving themselves a backdoor.

Of course, you won’t notice this slight adjustment; there is nothing obvious about it.  Four months later, at 10 a.m. the hacker strikes. They start by disabling the vehicles currently in your service department. The ransom is $250 a vehicle and you have one hour to pay.

The hacker will demand the ransom in Bitcoin, so you better know what they are and how to get them.

Panic has no doubt set in and your service department tries frantically to fix the vehicles.

The first hour passes. The hacker now demands double the ransom per vehicle.  They have also chosen at random 50 vehicles you have serviced over the last four months and disable them too.

Now what? The next hour will see another doubling of the ransom and 100 more vehicles disabled. Your IT provider can’t help; neither can the OEM or the RCMP.

These hackers are using the Dark Web and have covered their tracks perfectly. They won’t be found in time so you better pay up.

This might seem like an unbelievable scenario, but I can assure you this is possible today. Tomorrow will only make it easier.

This scenario was an example of the use of a phishing attack to gain access. The two other main methods of attack are hacking, an attempt to penetrate your network by finding a hole or backdoor in your system or network, and social engineering, where an attacker will manipulate the end user into unknowingly giving up sensitive information or access.

Social Engineering
Again, the attack originates with your sales department, generally your store’s weakest link.

This time, the hacker poses as an employee from any one of your OEM, DMS or IT providers. They call regarding an issue that they need to remote in for.

In this example, we’ll say the hacker claims they work for Reynolds & Reynolds.  They direct the individual to www.reynoldssupport.com. It definitely seems like a legitimate website, because it has been made to look exactly like the Reynolds & Reynolds website.

The domain? At the time of writing this article, it was available to register and could be used by anyone. It’s just one example of how easy it is to fake being someone you’re not.

As before, nothing obvious happens when the hacker connects. They preform some Windows updates and claim they have resolved the issue – just enough to not set off any alarms and make their presence seem legit.

Like the previous scenario, they have installed a backdoor to your internal network and will wait until the right time to attack. This time, they won’t go after your service department; they will target your entire dealership.

The goal of the attack is to redirect all traffic bound for financial websites to their servers.

The attack will be simple: you will be presented with what you think is your financial institution’s website. When you enter your credentials, you will in fact be logged into the institution’s website. However the hacker will have stolen your credentials using a man-in-the-middle attack.

Use a key fob? No worries. The hacker’s system will instantly log into your account using the key fob code. From there, they will start draining your bank account, or most likely, they will coordinate the attack at night so they can drain multiple accounts at once.

This situation is possible now, never mind in the future.

The Future
This brings us back to my original question: What is the future of cyber security?

Over the last year alone, ransomware has netted an unbelievable estimated $300 million dollars. There are reports that as much as 20 per cent of that profit has been put back into research and development – that’s right, even criminals have R&D departments.

These cyber thieves are evolving faster than the security companies. To put it plainly, they are winning the battle and only getting better at it.

Ransomware is the future of cyber security plain and simple. It will evolve into new and more devastating forms.

No longer will they simply hold your files hostage. They will soon hold your livelihood hostage – everything from your customers’ vehicles to your DMS, or even your entire dealership. That doesn’t just mean your computers; they will control your HVAC, security system, lighting, phones, network, backups, etc.

Oh, and did I mention the framework used to launch these cyber attacks is available on the dark web for around US$200?

Your Plan
All of these scary situations of course this begs the question, what can be done?

As I’ve mentioned before, your IT provider is your first line of defense. They can help you keep all the doors locked and ensure your AV and backups are running properly.

However, the threat of cyber security goes beyond the IT provider now. You will need someone to perform regular physical and cyber audits on your dealership, train and educate your employees on how to avoid cyber crime in your dealership and ensure that not only your cyber, but your physical security systems are tailored for your unique dealership needs.

Welcome to the future!

Sean Thomas is the lead solutions architect focusing on cyber security at A&R Solutions. A&R is the IT provider for over 500 dealerships across Canada. For more information, contact Sean Thomas, sean@anrsolutions.ca.