Within the last couple of months, smart device vulnerabilities have been piling up, prompting businesses to protect their Internet of Things (IoT) environments. But that doesn’t just include thermostats, printers, and other connected devices that you have to protect — it now means electric cars, too. Teslas have plenty of vulnerabilities, as cybersecurity researchers have recently discovered.
While Teslas aren’t the typical business IoT device, their connection to the internet makes them a cyber threat as much as your business’s other IoT technology. Make sure your security and IT teams are aware of every connected device so your business knows how to best protect its networks and sensitive data from vulnerabilities and threat actors.
Teslas Get the Spotlight in Recent Ethical Hacking Efforts
Researchers have discovered multiple vulnerabilities within Teslas since March 2023. Trend Micro’s Zero Day Initiative hosts an event called Pwn2Own, and at the 2023 event, computer security firm Synactiv hacked a Tesla computer within two minutes.
This year, electric cars were a major focal point of the 2024 event, called Pwn2Own Automotive. Security researchers who participated in the event found dozens of vulnerabilities over a 72-hour period.
Trend Micro published blogs detailing the successful and failed breaches of the 2024 event. The Pwn2Own researchers performed on vehicle chargers, the car’s informational entertainment system, and Bluetooth media receivers. Even the Tesla Modem, which provides LTE service to vehicles, was breached — Synactiv made another successful attack.
The zero-days reveal just how many items can threaten an organization’s cybersecurity. Imagine a corporate office where only two employees drive Teslas. If the car sits close enough to the office to connect to its network, an attacker could exploit a zero-day vulnerability and laterally move from the car’s Bluetooth receiver to another device on the network.
While we’ve known about the dangers of IoT devices for a long time, plenty of cybersecurity tools still don’t sufficiently cover them. While security suites and platforms will scan computers, servers, and network switches all day long, not all of them are designed to handle things like fridges and thermostats. And IoT devices often don’t have the firmware to install antivirus software or other protective tools.
Tesla is actually in a better position than many to manage security — the company has already taken measures to protect its cars, including creating its own bug bounty program for researchers to submit discovered vulnerabilities. But as demonstrated last week, the vehicles are still a hazard.
Other Recent IoT Vulnerabilities
Tesla vehicles aren’t the only devices that could cause problems, either. Researchers have found multiple vulnerabilities in connected appliances within the last few months, including thermostats, building access solutions, and routers.
Thermostats
In January, Bitdefender released a notice about a Bosch thermostat — the BCC100 — that had a firmware vulnerability. A threat actor on the same network as the thermostat could replace the existing device firmware with rogue code. Because it had a different operating system after the code replacement, the thermostat would allow the threat actor to perform other actions, too. The vulnerability is documented as CVE-2023-49722.
We discussed this issue in one of our weekly vulnerability recaps, suggesting that teams either replace the thermostat or segment it on a separate network. By segmenting a potentially rogue device, you’re separating it from other applications that could also be compromised.
Physical Access Systems
Cybersecurity risk management vendor OTORIO presented research on physical access systems — like keycard readers — at the 2023 Black Hat Europe conference in December. Physical access systems are designed to increase building security by requiring a badge or key fob for entry. Only people whose IDs have been added to the system can make it inside. But the access technology can actually be exploited, allowing threat actors to reach the business’s IP network.
The researchers from OTORIO hacked the access systems and realized a threat actor could perform a man-in-the-middle attack and then bypass the Open Supervised Device Protocol (ODSP). From there, the threat actor could use access controllers to reach a business’s IP network.
Physical premises security is important for cybersecurity as well. Sometimes, threat actors can breach a building and steal data directly from storage drives or computers. But now businesses have a new attack surface to consider — the very security systems they use to protect their offices.
Edge Routers
Industrial cybersecurity firm Claroty’s research group, Team82, discovered vulnerabilities in ConnectedIO’s edge routers. According to Claroty, the ER2000 series connects IoT devices to the internet and is 3G and 4G enabled. The research team also found vulnerabilities that endanger the device management software, which is cloud-based, and the protocol that allows devices to communicate with the cloud.
ConnectedIO patched these vulnerabilities after Claroty disclosed them. But when the vulnerabilities were active, they would have allowed a threat actor to perform remote code execution and data leakage.
Steps Your Business Can Take to Protect IoT Infrastructure
While the cybersecurity industry hasn’t fully caught up to IoT yet, there are still measures you can take to secure devices and networks. As you’re developing a strategy to protect your connected environments, consider watching product demos, hiring penetration testers, and investing in solutions specifically designed to protect your devices.
Demo Products
When vetting IoT products, don’t just take vendors’ word that a solution is successful — ask them to show you how IoT scanning, detection, and protection work. You’ll want to view a demo of any product you consider, focusing on its IoT functionality. If the vendor doesn’t have a demo of IoT security, ask them for a product walkthrough and some case studies that show how successful the product’s been over time.
Invest in Pentesting Services
If your enterprise has a lot of connected devices, you should be performing audits of your network, but a penetration testing service can also be incredibly helpful. Pen testing is essentially what the ZDI researchers performed on the Tesla equipment, and it’s a powerful tool for revealing the weaknesses of your tech infrastructure.
Penetration services are helpful for small businesses, too. It’s just as possible that startups and SMBs will suffer from cyberattacks, and smaller teams often haven’t built out a strong security program. Don’t wait until you’re attacked — set strong security precedents before that happens. Taking precautions could save your business thousands or millions of dollars.
Find Products with IoT Security
Look for cybersecurity vendors who do offer solutions for IoT security — many don’t, instead focusing on computers and servers. Some vulnerability management or XDR suites will support IoT devices as well as other systems.
Additionally, some vendors offer cybersecurity for operational technology, which includes industrial and manufacturing systems. If you’re trying to protect warehouses, plants, or construction zones from breaches, look at vendors like Fortinet, Check Point, and Zscaler for OT security.
Even electric cars can threaten your enterprise’s data if they’re connected to the same network. Ensure that your business appropriately segments networks, but also watch vulnerability news and vendor updates closely. Then you’ll know more quickly when a fridge, thermostat, or vehicle has been compromised. By finding the right security tools and staying on top of vulnerabilities, your business will be better equipped to protect its networks and data.
Is your business considering an IoT security product? Read about the top IoT cybersecurity solutions next, as well as common IoT risks and buying recommendations.
