Tier 1 supplier hacked, but so far every linked supply chains prevails unaffected.
Last year the U.S. Department of Transportation’s National Highway Traffic Safety Administration released an update to its 2016 edition of “Cybersecurity Best Practices for the Safety of Modern Vehicles”, which we also wrote about in AutoSec newsletter [link].
That report emphasized the importance of all individuals and organizations involved in the design, manufacturing, assembly, and maintenance of a motor vehicle have a critical role to play with respect to vehicle cybersecurity. Nevertheless, should organizations within the full automotive supply chain set clear cybersecurity expectations for their suppliers, as the cybersecurity mindset shall be considered through the whole value chain down to its roots.
Whether “Exco Technologies” followed the NHSTA document or not we are not sure of, but they were recently exposed to a cyber attack in three of their factories. Exco Technologies is a Canadian Tier 1 developing and manufacturing automotive interior trim components, such as leather steering wheel, door lining, seat trim, etc.
Even though the balance of the company’s operations remained unaffected, and the shipments to customers were not materially interrupted, it does shine some light on the many attack vectors the automotive domain encompasses as well as on what was emphasized in NHTSA’s Cybersecurity Best Practices for the Safety of Modern Vehicles document regarding a cybersecurity mindset throughout the full automotive supply chain.
According to Exco Technologies’ press release about the incident [link] they temporarily disabled some computer systems as they investigated the incident. Also, Exco Technologies lets us know that:

“Exco is committed to data security, is taking the matter very seriously and thanks its customers and partners for their understanding as it seeks to remediate the situation.”
No further details about the attack have been disclosed by the company so far.

Information, misinformation, or disinformation
Another cybersecurity concern AutoSec report upon in last year [link] was that a Boston-based cybersecurity company had found several severe security flaws in a well-known GNSS vehicle tracker from a Chinese company, MiCODUS, with more than 1.5 million GNSS vehicle trackers in use worldwide of today.
Hence, recent newspaper’s headlines about Chinese tracking devices discovered in UK government vehicles caught my interest. The “news” or “fake-news” reports that several Chinese tracking devices have been discovered in UK government vehicles. The tracking devices included a GPS antenna and a SIM card that transmitted the vehicles’ location. The devices were discovered during an inspection of vehicles used to transport diplomats and government officials (including ministers).
These “news” were reported by several online, and paper, news services (links below). Even the Israelic automotive cybersecurity company Upstream, which annual “Global automotive cybersecurity report” AutoSec twice has mentioned, also reported upon the “news” on their webpage.

From the information provided there is no way to say whether this is legit or not, but disinformation is definitely something real, and so are political agendas. Officially the conducted inspections were a response to last year’s warnings about Chinese espionage activity in the UK. But also keep in mind that China, just the month before, recalled six diplomats after the Manchester consulate attack. To argue that there might be some foreign affairs and ulterior motives are hence not so farfetched.
China denies the media report in, for example, Radio Free Asia (RFA), a U.S. government-funded private news service publishing online news and radio programs, where a Chinese embassy spokesperson said the report was a politically motivated attempt to “smear Chinese businesses” and “disrupt supply chains.”
Not saying that the cyberattack isn’t possible to execute. But the details about it are vague, just as the reasons for reporting about it all. The cybersecurity domain is large, new, and ambiguous to most people. Therefore, always be attentive to news related to the prevailing cyberwarfare or cybercrimes in general, and know the definition of “disinformation”
Disinformation is false information created with the intention of profiting from it or causing harm. Disinformation generally serves some agenda and can be dangerous.
Whether this specific media report on found Chines tracking devices in UK Government cars is information or disinformation, the author of this newsletter has no attestation of. The sole intention is just to meet such kind of media reporting with multiple perspectives and some critical thinking.

More related cybersecurity news within the automotive domain.
A hack of Electrify America’s new 350-kW charging stations led to the display unit showing a competitor’s content. Link.
A Not-yet-detailed Vulnerability is Directly Affecting Automotive Products. Link.

Written by Joakim Rosell