Posts

Preventing Attacks and Securing the Supply Chain in the Security Software Industry

25/02/2024/in Educational

The security software industry plays a vital role in safeguarding sensitive data and protecting digital infrastructure.

However, the industry itself faces a significant threat from supply chain attacks.

Supply chain attacks occur when cybercriminals target vulnerabilities within the supply chain to compromise software or hardware products before they reach the end-users.

By infiltrating the supply chain, attackers can inject malicious code, backdoors, or vulnerabilities, thereby compromising the security of the software.

Such attacks can have far-reaching consequences, as they can compromise the confidentiality, integrity, and availability of critical systems and data.

These attacks have the potential to undermine the integrity and trustworthiness of security software, leading to severe consequences for individuals, organizations, and even nations.

This article examines the damaging impact of supply chain attacks on the security software industry, while also delving into preventive measures and strategies to secure the supply chain.

Impact:

Loss of Trust: Supply chain attacks erode trust in security software products and the industry as a whole. When high-profile incidents occur, customers may lose confidence in the ability of software vendors to protect their assets and data.
Financial Loss: The costs associated with supply chain attacks are staggering. Companies suffer significant financial losses due to reputational damage, legal consequences, customer compensation, and the costs of investigating and mitigating the attack.
Weakened Defenses: A compromised security software product can result in weakened defenses for individuals, organizations, and governments, leaving them vulnerable to further cyberattacks. This situation can have severe consequences, particularly when critical infrastructure or national security is at stake.

Preventing Attacks:

Enhanced Vendor Due Diligence: Organizations should thoroughly vet and assess the security practices of their software vendors and suppliers. This includes scrutinizing their security measures, incident response plans, and third-party audits.
Secure Development Practices: Implementing secure software development practices, such as code review, vulnerability testing, and penetration testing, can help identify and rectify potential weaknesses in software products.
Strong Authentication and Encryption: Implementing robust authentication mechanisms and encryption protocols helps protect the integrity and confidentiality of software and its supply chain components.
Regular Updates and Patching: Ensuring timely and regular updates and patches are applied to software products and their supply chain components helps address known vulnerabilities and protect against emerging threats.

Mitigations:

End-to-End Visibility: Organizations must have comprehensive visibility into their supply chain, including the identification of all suppliers and the ability to monitor their security practices throughout the software development lifecycle.
Supply Chain Risk Assessment: Conducting a thorough risk assessment helps identify potential vulnerabilities and risks within the supply chain. This assessment should encompass all stages, from design to distribution, and involve evaluating suppliers, their security practices, and their access controls.
Supplier Contracts and Agreements: Organizations should establish clear contractual agreements with suppliers that define security requirements, incident response protocols, and breach notification obligations. Regular audits and assessments can help ensure compliance.
Incident Response Planning: Developing and regularly testing an incident response plan specific to supply chain attacks enables organizations to respond swiftly and effectively, mitigating the impact of any potential breach.

Supply chain attacks pose a significant threat to the security software industry, compromising the integrity and trustworthiness of software products. The damaging consequences include loss of trust, financial losses, and weakened defenses. However, by implementing preventive measures, such as enhanced vendor due diligence, secure development practices, and regular updates, organizations can bolster their defenses against supply chain attacks. Additionally, securing the supply chain through end-to-end visibility, risk assessments, supplier contracts, and incident response planning.

If you want to know how to address Supply Chain issues, you can contact Endpoint Cybersecurity for a free consultation.

Supply Chain Management

The post Preventing Attacks and Securing the Supply Chain in the Security Software Industry first appeared on Sorin Mustaca on Cybersecurity.

Securing the Secure: The Importance of Secure Software Practices in Security Software Development

24/02/2024/in Educational

In an increasingly interconnected digital world, the importance of secure software cannot be overstated.

Many people think that by using security software all their digital assets become automatically secured.

However, it is crucial to recognize that security software itself is not inherently secure by default.

To ensure the highest level of protection, security software must be designed, developed, and maintained using secure software practices.

This blog post emphasizes how important it is to incorporate secure software development practices within the broader context of the secure software lifecycle for security software.

Understanding the Secure Software Lifecycle

The secure software lifecycle encompasses the entire journey of a security software product, from its inception to its retirement.

It consists of multiple stages, such as :

Requirements gathering/Analysis
Design,
Implementation
Testing,
Deployment
Maintenance
Retirement

Incorporating secure software practices at each step is essential to fortify the software’s defense against potential vulnerabilities and attacks.

Implement Secure Software Development Practices

Implementing secure software practices involves adopting a proactive approach to identify and address security concerns from the outset.

Some fundamental practices include:

a. Threat Modeling:

Conducting a comprehensive analysis of potential threats and vulnerabilities helps developers design robust security measures. By understanding potential risks, developers can prioritize security features and allocate resources accordingly.

b. Secure Coding:

Writing code with a security-first mindset minimizes the likelihood of exploitable vulnerabilities. Adhering to coding standards, utilizing secure coding libraries, and performing regular code reviews and audits contribute to building a solid foundation for secure software.

c. Secure Configuration Management

Properly configuring the security software environment, such as secure network settings, encryption protocols, and access controls, is vital for safeguarding against unauthorized access and data breaches.

d. Regular Security Testing

Rigorous testing, including vulnerability assessments, penetration testing, and code analysis, helps identify and rectify security flaws. It ensures that security software operates as intended and remains resilient against evolving threats.

The Bigger Picture: Security in a Connected World

Secure software development practices extend beyond the development of security software alone. They have a broader impact on the overall security ecosystem. The adoption of secure software practices sets a precedent for other software developers, promoting a culture of security awareness and accountability.

Moreover, incorporating secure practices in security software helps foster trust among users and organizations. It instills confidence that the software is diligently designed to protect sensitive information and critical systems. Secure software practices also contribute to regulatory compliance, enabling organizations to meet stringent security standards and safeguard user data.

The Vital Importance of Secure Software: Consequences of Security Vulnerabilities for Security Companies

The implications of security vulnerabilities go beyond the immediate risks they pose to users and organizations. For security companies, the consequences of having products with security vulnerabilities can be severe, impacting their reputation, customer trust, and overall business viability.

Here are just a few negative consequences that security companies may face if their products fall prey to security vulnerabilities:

Reputation Damage: Security companies are built on trust and reliability. When a security product is discovered to have vulnerabilities, it erodes customer confidence and tarnishes the company’s reputation. The perception that a security company cannot protect its own software casts doubt on its ability to safeguard sensitive information and defend against external threats. This loss of trust can be challenging to regain, resulting in a significant blow to the company’s credibility and market standing.
Customer Loss and Dissatisfaction: Security vulnerabilities in software can lead to compromised systems, data breaches, and financial losses for users. In such instances, customers are likely to seek alternative security solutions, abandoning the vulnerable product and the company behind it. This loss of customers not only affects the company’s revenue but also demonstrates a lack of customer satisfaction and loyalty. Negative word-of-mouth can spread rapidly, deterring potential customers from considering the security company’s offerings in the future.
Legal and Regulatory Consequences: Security vulnerabilities can have legal and regulatory implications for security companies. Depending on the nature and severity of the vulnerabilities, companies may face legal action from affected parties, resulting in costly litigation and potential financial penalties. Furthermore, security companies operating in regulated industries, such as finance or healthcare, may face compliance violations, leading to fines and reputational damage. Compliance with security standards and industry regulations is critical for security companies to maintain credibility and avoid legal consequences.
Increased Operational Costs: Addressing security vulnerabilities requires significant resources, both in terms of time and finances. Security companies must invest in dedicated teams to investigate, fix, and release patches or updates to address vulnerabilities promptly. Additionally, engaging in incident response, customer support, and post-incident communication efforts adds to the operational costs. Failure to address vulnerabilities in a timely and efficient manner can exacerbate the negative consequences, making the recovery process more challenging and expensive.

In an era where security breaches and cyber threats are prevalent, relying solely on the notion that security software is inherently secure is a grave misconception. Secure software practices are indispensable for developing robust and resilient security software. By implementing these practices throughout the software lifecycle, developers can significantly mitigate the risks associated with vulnerabilities and ensure the highest level of protection for users and organizations alike. Embracing secure software practices sets the stage for a safer digital landscape, bolstering trust, and reinforcing security across the entire software development ecosystem. By prioritizing security, security companies can protect their customers, preserve their reputation, and maintain a competitive edge in the ever-evolving landscape of cybersecurity.

If you want to know more about SSDLC, contact Endpoint Cybersecurity for a free consultation.

Secure Software Development Lifecycle (SSDLC)

The post Securing the Secure: The Importance of Secure Software Practices in Security Software Development first appeared on Sorin Mustaca on Cybersecurity.

The Automotive industry’s inadequate approach towards software (in the cars)

23/02/2024/in Educational

Introduction

The automotive industry has witnessed a paradigm shift with the increasing integration of software in vehicles.

Modern cars are no longer just mechanical devices with a motor, wheels and steering; they are now sophisticated machines having dozens of CPUs (called ECU), entire computers, high speed network to connect them (called CAN-bus) and relying on complex highly distributed software systems.

In my opinion, the industry fails to adapt to this new reality and fully embrace the concept of cars as hardware running software has significant consequences.

This may sound contradictory at first, on one side they have these complex systems, on the other side they fail to adapt to this reality.

In this article, I will explore how the automotive industry is not dealing correctly with this transformation and its potential implications.

Limited Focus on Software Development and Updates

Traditionally, the automotive industry has primarily focused on hardware design and manufacturing, treating software as a necessary mean to make the hardware work.

This approach results in a lack of emphasis on software development practices and updates capabilities.

While cars are becoming more connected and dependent on software for various functionalities, manufacturers often overlook the importance of continuous software improvements and security updates.

How often do you update the software of your car? Maybe once a year in the best case, usually once every several years or not at all.

It’s not all bad, but think of how many times does Open SSL get updated in a year. Theoretically you should see an update every few months.

Insufficient Over-the-Air (OTA) Update Capabilities

Related to updates, Over-the-Air (OTA) updates have gained prominence in the software industry as an efficient means of delivering software fixes, updates, and new features directly to users.

However, the automotive industry has been slow to adopt OTA capabilities on a widespread scale out of their own will.

Limited OTA functionality not only hampers the ability to address software vulnerabilities promptly but also restricts the potential for delivering new features and enhancements to vehicles post-purchase.

Fortunately, there are many initiatives to solve this and even legislation (UNECE R 155 and R 156) that started to make software updates mandatory for releasing new car types.

Slow Adoption of Agile SW Development Processes

Agile software development methodologies have become the norm in the software industry due to their flexibility and iterative nature.

However, the automotive industry lags behind in adopting these practices. And this is politically correct formulated.

The OEMs are still working with the V-Model, despite the fact that you hear them talking about sprints, iterations, Scrum, XP programming. All these are actually implemented with small V runs and have little to nothing to do with agility.

The slow pace of development and release cycles in the automotive sector hinders the quick implementation of software fixes and feature enhancements.

This delay not only frustrates customers but also puts their safety at risk by keeping potentially critical issues unresolved for extended periods.

Lack of Consumer Education and Awareness

The general public’s understanding of cars as hardware running software is limited. First when TESLA became an important OEM, the entire world started to understand how important software is in a car.

Immediately after has the automotive industry started to feel threatened by it and they started to invest more in software, more particularly, in improving the user experience of their cars.

If I make a comparison with the mobile phones in the early 2000, the TESLA is the iPhone while the other OEMs were Nokia and the others. We all know what happened to Nokia because they did not move faster.

Consumers must continue to push the OEMs to enhance the software of their cars, but this is a slow process, because the cars with good software are expensive, and people with money usually don’t look first at the software capabilities of their cars.

Inadequate Cybersecurity Measures

As cars become increasingly connected and autonomous, they become vulnerable to cyber threats.

Unfortunately, the automotive industry has been sluggish in implementing robust cybersecurity measures to protect vehicles from potential attacks.

Insufficient attention to software security leaves vehicles open to hacking, which can lead to unauthorized access, data breaches, or even physical harm.

The industry must prioritize cybersecurity and invest in proactive measures to safeguard vehicles and their occupants.

Because cybersecurity is hard to implement, very expensive and requires specialized personnel, no OEM was willing improving their cybersecurity.

This is the reason why the UNECE R155 requires now a Cybersecurity Management System (CSMS) audit in order to allow new vehicle types.

If you are an OEM or subcontractor (Tier 1-N) then you may want to know that Endpoint Cybersecurity is offering consulting on how to implement such a CSMS and make it auditable.

Lack of standards

Same as for computers, the IT industry started to exponentially increase only after there were good reasons to use computers. Only after the Internet became main stream have businesses, regular people and families started to buy computers. So communication or inter-communication was and still is a main factor to buy hardware.

The same is happening with cars: people start to see the need for software in cars and now they start asking for better software. This can only happen if there is a market for software, but to create a market you need standards.

Android Auto and Apple Car are standards that allow 3rd parties to create apps for the cars, but the offer is extremely small and not really relevant.

In my opinion, only when cars can exchange data either directly (Vehicle to Vehicle communication – V2V) or through some infrastructure (V2I) on a large scale will we see a significant increase in software demand.
Unfortunately, the lack of standards for communication between vehicles is making this process extremely slow.

Conclusion

The automotive industry’s failure to fully embrace the concept of cars as hardware running very complex software has far-reaching consequences on the long term.

By neglecting software development, cybersecurity, and collaboration with software experts, OEMs put customer safety and satisfaction at risk. Classical OEMs have started to see too late that better software means more sales and more satisfied customers and reacted too slow to find solutions.

The limited adoption of agile development processes and inadequate OTA update capabilities further hinder progress in this domain.

To address these challenges, the industry must prioritize software as an integral part of vehicle design and manufacturing, invest in cybersecurity measures, foster collaboration with software experts, and educate consumers about the software-driven nature of modern cars.

Only through a comprehensive and proactive approach can the automotive industry truly unlock the potential of cars as hardware running software.

The post The Automotive industry’s inadequate approach towards software (in the cars) first appeared on Sorin Mustaca on Cybersecurity.

ChatGPT and automotive cybersecurity #2/2: TISAX certification

22/02/2024/in Educational

This is the 2nd post about Automotive Cybersecurity.

Since I am working these days on CSMS (based on ISO ECE 21434 and TISAX), part of my companies consulting offer for automotive I thought maybe I check what ChatGPT things about them.

First post was about CSMS and ISO 21434 and this one is about TISAX.

Query:

Tell me about challenges in TISAX certification

ChatGPT:

“TISAX (Trusted Information Security Assessment Exchange) is a security assessment and certification process for automotive suppliers. The certification is used to evaluate and ensure the information security capabilities of companies in the automotive sector.

There are several challenges associated with TISAX certification:

Complex requirements: TISAX has extensive and complex security requirements that can be difficult to understand and implement. Companies may struggle to meet these requirements and may need help from experts to achieve certification.
Resource constraints: Implementing the security measures required for TISAX certification can be resource-intensive and time-consuming. This can be especially challenging for small or medium-sized businesses.
Technical difficulties: Companies may face technical challenges in implementing the necessary security controls, particularly if their existing systems are not well-suited to the TISAX requirements.
Cost: The cost of TISAX certification can be significant, and this may be a challenge for companies with limited budgets.
Maintenance: TISAX certification must be maintained, and companies must continually evaluate and improve their security controls to stay certified. This can be a challenge, as the threat landscape is constantly evolving and new risks emerge.

Overall, TISAX certification requires a substantial investment of time, resources, and expertise, but it is considered an important aspect of information security for companies operating in the automotive sector.”

So, I have to say that this impressed me a bit …

I have always difficulties explaining to my customers why is it so hard to pass the TISAX audit.

It is all true, and actually it is quite a challenge to get companies to commit to a long term cooperation with a consulting company, which can help them understand the requirements and teach them how to apply them.

Conclusion:

I will get back to ChatGPT from time to time and try to get such short descriptions for various things I need.

The post ChatGPT and automotive cybersecurity #2/2: TISAX certification first appeared on Sorin Mustaca on Cybersecurity.

ChatGPT and automotive cybersecurity #1/2: About CSMS from ISO 21434

21/02/2024/in Educational

As promised, I played more with ChatGPT and this time I started to dig a bit into cybersecurity for automotive.

Since I am working these days on CSMS (based on ISO ECE 21434 and TISAX), part of my companies consulting offer for automotive I thought maybe I check what ChatGPT things about them.

Unfortunately, nothing dramatically new, a form of what a google search gives you. However, the model answered something interesting about TISAX, which usually I, as a human would probably answer. ( No, this post is not written by ChatGPT: )

Here it is:

Query:

Tell me about CSMS from ISO 21434

ChatGPT:

CSMS (Cybersecurity Management System) is a framework for managing cybersecurity within an organization, as defined in ISO 21434. ISO 21434 is an international standard for automotive cybersecurity that provides guidelines for the development and implementation of cybersecurity measures in the automotive sector.
CSMS is designed to help organizations manage cybersecurity risks and protect against cyber threats.

It is based on the same principles as other management systems, such as quality management or environmental management, and provides a structured approach to managing cybersecurity.

The framework covers a range of cybersecurity-related activities, including:

Threat identification and assessment
Risk management
Security controls and measures
Incident management
Continuous improvement

CSMS is designed to be flexible and adaptable, allowing organizations to tailor the framework to meet their specific needs and requirements.

The standard also provides a basis for certification, enabling organizations to demonstrate their commitment to cybersecurity and their ability to effectively manage cybersecurity risks.

In summary, CSMS from ISO 21434 provides a comprehensive framework for managing cybersecurity and is an important aspect of information security for organizations operating in the automotive sector.”

This text is not returned by a google search. If I search the exact same terms, google returns me a bunch of links and ads (4 Ads, 9 links, 1 ad) and some Youtube videos.

So, is this text relevant?

Yes, it is a very good summary. I will actually use it in the offerings of my company.

Part #2 is about “TISAX certification”.

The post ChatGPT and automotive cybersecurity #1/2: About CSMS from ISO 21434 first appeared on Sorin Mustaca on Cybersecurity.

A brief history of software vulnerabilities in vehicles (Update 2023)

21/02/2024/in Educational

Updated in 2023:

2023: Sam Curry: Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More
- Kia, Honda, Infiniti, Nissan, Acura
  - Fully remote lock, unlock, engine start, engine stop, precision locate, flash headlights, and honk vehicles using only the VIN number
  - Fully remote account takeover and PII disclosure via VIN number (name, phone number, email address, physical address)
  - Ability to lock users out of remotely managing their vehicle, change ownership
    - For Kia’s specifically, we could remotely access the 360-view camera and view live images from the car
- Mercedes-Benz
  - Access to hundreds of mission-critical internal applications via improperly configured SSO, including…
    - Multiple Github instances behind SSO
    - Company-wide internal chat tool, ability to join nearly any channel
    - SonarQube, Jenkins, misc. build servers
    - Internal cloud deployment services for managing AWS instances
    - Internal Vehicle related APIs
  - Remote Code Execution on multiple systems
  - Memory leaks leading to employee/customer PII disclosure, account access
- Hyundai, Genesis
  - Fully remote lock, unlock, engine start, engine stop, precision locate, flash headlights, and honk vehicles using only the victim email address
  - Fully remote account takeover and PII disclosure via victim email address (name, phone number, email address, physical address)
  - Ability to lock users out of remotely managing their vehicle, change ownership
- BMW, Rolls Royce
  - Company-wide core SSO vulnerabilities which allowed us to access any employee application as any employee, allowed us to…
    - Access to internal dealer portals where you can query any VIN number to retrieve sales documents for BMW
    - Access any application locked behind SSO on behalf of any employee, including applications used by remote workers and dealerships
- Ferrari
  - Full zero-interaction account takeover for any Ferrari customer account
  - IDOR to access all Ferrari customer records
  - Lack of access control allowing an attacker to create, modify, delete employee “back office” administrator user accounts and all user accounts with capabilities to modify Ferrari owned web pages through the CMS system
  - Ability to add HTTP routes on api.ferrari.com (rest-connectors) and view all existing rest-connectors and secrets associated with them (authorization headers)
- Spireon
  - Multiple vulnerabilities, including:
    - Full administrator access to a company-wide administration panel with ability to send arbitrary commands to an estimated 15.5 million vehicles (unlock, start engine, disable starter, etc.), read any device location, and flash/update device firmware
    - Remote code execution on core systems for managing user accounts, devices, and fleets. Ability to access and manage all data across all of Spireon
    - Ability to fully takeover any fleet (this would’ve allowed us to track & shut off starters for police, ambulances, and law enforcement vehicles for a number of different large cities and dispatch commands to those vehicles, e.g. “navigate to this location”)
    - Full administrative access to all Spireon products, […]
    - In total, there were…
      - 15.5 million devices (mostly vehicles)
      - 1.2 million user accounts (end user accounts, fleet managers, etc.)
- Ford
  - Full memory disclosure on production vehicle Telematics API discloses
    - Discloses customer PII and access tokens for tracking and executing commands on vehicles
    - Discloses configuration credentials used for internal services related to Telematics
    - Ability to authenticate into customer account and access all PII and perform actions against vehicles
  - Customer account takeover via improper URL parsing, allows an attacker to completely access victim account including vehicle portal
- Reviver
  - Full super administrative access to manage all user accounts and vehicles for all Reviver connected vehicles. An attacker could perform the following:
    - Track the physical GPS location and manage the license plate for all Reviver customers (e.g. changing the slogan at the bottom of the license plate to arbitrary text)
    - Update any vehicle status to “STOLEN” which updates the license plate and informs authorities
    - Access all user records, including what vehicles people owned, their physical address, phone number, and email address
    - Access the fleet management functionality for any company, locate and manage all vehicles in a fleet
- Porsche
  - Ability to send retrieve vehicle location, send vehicle commands, and retrieve customer information via vulnerabilities affecting the vehicle Telematics service
- Toyota
  - IDOR on Toyota Financial that discloses the name, phone number, email address, and loan status of any Toyota financial customers
- Jaguar, Land Rover
  - User account IDOR disclosing password hash, name, phone number, physical address, and vehicle information
- SiriusXM
  - Leaked AWS keys with full organizational read/write S3 access, ability to retrieve all files including (what appeared to be) user databases, source code, and config files for Sirius

Car Hacking News Timeline 2017-2019 [1]

2019: Hack of an OEM’s automotive cloud via third-party services and tier-1 supplier network
2019: Memory vulnerability at a cloud provider exposed data incl. passwords, API keys, and tokens
2019: A malware infection caused significant production disruption at a car parts manufacturer
2019: Vehicle data exposed during registration allowed for remote denial-of-service attacks on cars
2019: Malware infected the back end, making laptops installed in police cars unusable
2018: An ex-employee breached the company network and downloaded large volumes of personal information
2018: Cloud servers hacked and used for cryptomining
2018: Researchers exploited vulnerabilities of some infotainment systems and gained control of microphones, speakers, and navigation systems
2018: Security issues discovered in 13 car-sharing apps
2018: Researchers demonstrated >10 vulnerabilities in various car models, gaining local and remote access to infotainment, telematics, and CAN buses
2018: EV home chargers could be controlled by accessing the home Wi-Fi network
2017: Rental car companies exposed personal data
2017: Ransomware caused the stop of production across several plants

Car Hacking News Timeline 2002-2015 [2]

2015: Researchers remotely sent commands to the CAN bus of a specific car that had an OBD2 dongle installed to control the car’s windshield wipers and breaks
2015: Researchers demonstrated vulnerabilities within the back end, gaining access to door control
2015: “Hackers remotely kill a Jeep on the highway – with me in it” – Wired
2015: “Markey, Blumenthal To Introduce Legislation to Protect Drivers from Auto Security and Privacy Vulnerabilities with Standards and “Cyber Dashboard”” – Senator Edward Markey
2015: “Markey Report Reveals Automobile Security and Privacy Vulnerabilities” – Senator Edward Markey
2015: “Hackers Can Take Control of Cars From 3,000 Miles Away” – NBC 4 New York
2014: “A Survey of Remote Automotive Attack Surfaces” – IOActive
2014: “Auto Alliance Initiates New CyberSecurity Forum” – Auto Industry Alliance
2014: “Most Hackable Cars” – CNN Money
2014: “How to Hack a Car” – Vice
2014: “The Robot Car of Tomorrow May Just Be Programmed to Hit You” – Wired
2014: Open Garages
2013: Sen Markey (D-MA) Letter to GM
2013: “Digital Carjackers Show Off New Attacks” – Forbes
2013: “Jury Finds Toyota Liable in Fatal Wreck in Oklahoma” – New York Times
2013: “Adventures in Automotive Networks and Control Units” – IOActive
2013: “Car Hacking: Your Computer-Controlled Vehicle Could Be Manipulated Remotely” – CBS
2013: “How to Hack Your Mini Cooper: Reverse Engineering CAN Messages on Passenger Automobiles” – Jason Stags, Defcon 21
2013: “Digital Carjackers Show Off New Attacks” – Forbes
2012: “Can Science Stop Crime – Car-Hacking” – NOVA Science Now
2011: Google Self-Driving Car
2011: “Can Your Car be Hacked?” – Car and Driver
2011: “Comprehensive Experimental Analyses of Automotive Attack Surfaces” – Center for Automotive Embedded Systems Security (CAESS)
2010: “Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study” – Rutgers, USC
2010: “Experimental Security Analysis of a Modern Automobile” – Center for Automotive Embedded Systems Security (CAESS)
2010: “Hacker disables more than 100 cars remotely” – Wired
2007: “Hackers can take over car navigation system” – The Telegraph
2007: DARPA Urban Challenge
2005: “RFID Chips in Car Keys and Gas Pump” – John Hopkins University
2005: DARPA Grand Challenge
2005: “Linux Bluetooth hackers hijack car audio” – The Register
2005: “Hacking the Hybrid Vehicle” – Wired
2004: DARPA Grand Challenge
2004: “DRIVING; Altering Your Engine With New Chip” – NY Times
2003: “Gentlemen, Start Hacking Your Engines” – NY Times
2002: “How To Hack Your Car” – Forbes

Sources:

McKinsey – Cybersecurity in automotive
https://www.iamthecavalry.org/domains/automotive/
https://smart.gi-de.com/automotive/brief-history-car-hacking-2010-present/