Cybercrime Hits the Fast LaneCybercrime Hits the Fast Lane

Car dealers hit by CDK Global’s big hack attack may want answers about what happened.

But they won’t get much of a detailed explanation from the information-technology and software company, says Erik Nachbahr, founder and president of Helion, a firm that assists the auto industry in fending off cybercriminals.

No matter how much dealers might want answers, “no vendor is going to reveal their security measures or their methodology of dealing with cyberattacks,” he says.

And, he adds, they shouldn’t. Otherwise, it would give hackers “a leg up.”

Cyberattacks on the automotive industry – from manufacturers to dealers – once were relatively infrequent, but not anymore, says Daimon Geopfert, a cybersecurity expert and a principal at consulting firm PwC.

“Anything that was associated with automotive used to be beneath the interest of hackers,” he says. “Now, no industry is exempt from hackers who make money by taking down a business.”

The CDK attackers operated on the ransomware-as-a-service model, encrypting data, shutting down a computer system and demanding a ransom to release the hold.

It’s a far cry from earlier cybercrimes, such as a digital fraudster trying to con a dealership out of a car through false identification.

CDK’s June ransomware attack affected thousands of dealer clients, shutting down their dealership management systems and preventing them from doing business as usual digitally.

CDK paid about a $25 million ransom to the hackers to call off the attack, according to multiple sources. CDK is mum about that.  

Ransomware Rising

Ransomware attacks are increasing, Nachbahr notes. Dealers can’t individually fight an attack on a vendor such as CDK.

But they can take steps to thwart similar assaults on their individual stores. “The risk that dealers can control involves their own systems,” Nachbahr says during an online presentation.  

To fend off attacks, he recommends dealers retain digital security experts and not rely on information technology (IT) employees, many of whom are self-taught and spend much of their time fixing and maintaining systems.

Nachbahr urges dealers to act responsibly when choosing any digital services provider.

Some dealer choices are “scary,” he says. “One dealership was outsourcing data mining from its Document Management System (DMS) to India. Really? That’s crazy.”

Dealership success and peace of mind depend on developing, implementing and maintaining a comprehensive information security program, he says.

He adds that a dealership compliance document should constitute “more than just words” shown to the Federal Trade Commission to conform with red-flag regulations on protecting customer information.  

“A written compliance document represents a call to action,” says Nachbahr. “It’s verification that a dealership is taking cyber-protection efforts and continuously improving them.”

Geopfert speaks of a risky world in which not only automakers and dealers are targets. Also in the crosshairs are the modern connected cars they sell and make.

“A connected vehicle contains all the codes,” he says during a PwC media roundtable in Detroit.

“Some hackers use an antenna to capture a (connected) vehicle’s over-the-air updates, Geopfert says. “Imagine ransomware that can hit one car and affect every car with that software.”

An Act of War

Worst-case scenario: a massive shutdown of vehicles on the road.

“That would be considered an outright act of war,” says Geopfert, who formerly served in the military as a cybersecurity specialist.

The chances of cyberattacks on cars increasing are “100%,” iSeeCars.com auto analyst Karl Brauer tells WardsAuto.

Some mischievous hackers will do it for fun. Most do it for the ill-gotten financial gains.

Then there are mad-scientist types who might someday zero in on a self-driving vehicle and “make it take a left turn while on the Golden Gate Bridge,” Brauer says half-kiddingly.

It’s almost inevitable that connected cars are added to the hacking list, Andrew DiFeo, dealer principal of Hyundai of St. Augustine (FL), tells WardsAuto.

“No matter what you have that’s connected, there are people out there trying to do bad things,” he says. “But it shouldn’t prevent us from further developing connected cars.”

So, the battle between good and bad carries on.

If a hacker breaches a figurative 10-foot wall, defenders build a 12-foot wall. If that’s scaled, yet a higher one is erected. And on it goes.

Emerging artificial-intelligence systems can both deter and aid hackers. As Geopfert notes: “AI, like every technology before and after, creates and solves problems.”

If so much effort goes into defending against cyberattackers, why isn’t there a greater effort to proactively find and charge criminals? That’s easier said than done.

Many times the bad guys are in remote locations, far from the scenes of the crimes, Geopfert tells WardsAuto.

They often operate in foreign countries outside the legal jurisdiction of where the crime occurred. As said, mainly hackers are in it for money, but some do it for kicks – or even out of boredom.

Geopfert tells of a busted hacker who lived on an island off the U.K. coast.

Asked why he did it, he said, “There’s nothing else to do on this frigging island.”