
Honda's global operations hit by cyber-attack - throwmemoney
https://www.bbc.co.uk/news/technology-52982427
======
VRay
Firmware engineering and IOT is a huge mess

At least in my experience, there aren't many opportunities for career growth
in that area unless you switch to regular app/web development, or you move to
a snazzier company like Microsoft, Apple, Amazon, etc. (Or start a disruptive
startup..)

I wonder if there's a "brain drain" effect that's causing this industrial
software to be persistently low quality and susceptible to attack

~~~
JoeAltmaier
Well, some 'growth' happens just by raising your rates. Not a lot of folks
willing to do IoT and firmware. I just charge more every year.

And yes its a mess. Folks resist using real security on their phone or
desktop. Imaging an embedded device they buy and want to forget about. They
sure don't want any passwords or keys that they'll promptly forget! How many
times have I reset my router to factory defaults because, who knows what the
admin password is I set two years ago and never used since?

I've put security into devices, and had the client want it taken out. Because
their installers find it onerous. And, 'nobody is going to attack my pool pump
controller!'

~~~
indigochill
There is probably a good reason for this that I don't know, but why haven't
physical keys replaced passwords yet? Want to manage your IoT device? Just
slot in a USB key, do your thing, and unslot it.

You don't really have to sweat the security of the key laying around because
its mere existence requires an attacker perform physical penetration which is
a different attack profile from someone just cruising Shodan.

Granted, a USB key doesn't make sense for every device, but e.g. it seems like
it would make a lot of sense for my router.

~~~
0xCMP
I wish thats how a lot of things work, but I imagine it would end up
encouraging some to create "proprietary" ones (only ours that has special
certificate) to work.

Then charge like crazy the same way dealers do with car keys.

~~~
masnaox
except dealer keys are software. so I guess car firmware is already the worst
of both? which further reinforces the point of the top comment in this thread
we are in.

------
pixxel
> "Honda can confirm that a cyber-attack has taken place on the Honda
> network," the Japanese car-maker said in a statement. It added that the
> problem was affecting its ability to access its computer servers, use email
> and otherwise make use of its internal systems. "There is also an impact on
> production systems outside of Japan," it added.

The article suggests ransomware.

~~~
jcun4128
> on the Honda network

Is that saying it was internal eg. someone plugged in a USB/executed code in
person... hmm

article said possible downloaded "booby-trapped files"

~~~
eswat
> article said possible downloaded "booby-trapped files"

They gave that as a general example, not for this attack specifically. The
article doesn't rule out an attack originating from outside the network (ie:
phishing).

------
aazaa
I wonder to what extent this attack was related to work-from-home.

The hasty manner in which many companies were forced to adapt + open up their
computer networks to accommodate working from home may have created
opportunities for attacks like this on large organizations.

~~~
freehunter
And the shame for any businesses who fall back on this excuse is, their
disaster recovery or business continuity plans should have already taken into
account the necessity that a large section of their workforce may need to work
outside the corporate network. There's zero reason _not_ to have this planned
out as a real possibility. Natural disasters, fires, terrorism, power outages,
the list of possibilities is almost endless for reasons why business can't be
done at one planned location.

I work as a security consultant and I've had companies tell me they can't plan
on working from home because of culture issues (aka bosses want to see their
employees in front of them). And yet all of them have disaster recovery
datacenters or multi-zone cloud setups because they know inevitably a tornado
or earthquake or fire or ice storm or something will impact their main
datacenter. But no plans for their employees because of "culture".

~~~
YarickR2
Do you wear a hard hat all the time ? If not, then how do you plan for an
evitable brick falling on your head ?

~~~
nexuist
People at construction sites are required to wear a hard hat all the time just
like company policies require firewalls to be placed on corporate networks.
Not really sure why you're making this comparison, because connecting to the
Internet is very much like walking into a construction site where bricks could
be falling everywhere and even aimed directly at you.

------
serf
I wonder how long until we see a global car manufacturer get compromised to
the point that the products are slowly compromised with the data stolen
initially?

Imagine any car with ECMs that can receive OTA updates turned into a herd of
bots of some type.

It's an entertaining avenue of thought to consider every Honda with OTA
capabilities mining bitcoin from this day on.

~~~
thephyber
Most car manufacturers haven't moved towards OTA updates, probably because
they know exactly the risk you describe.

I think Tesla has done remarkably well and I suspect they were able to do it
because they were small and nimble when OTA capabilities first became
feasible.

On a different note, Nissan's manufacturing was disabled[1] a few years ago
when WannaCry was endemic.

[1] [https://www.bbc.com/news/uk-
england-39906534](https://www.bbc.com/news/uk-england-39906534)

~~~
nexuist
> I think Tesla has done remarkably well and I suspect they were able to do it
> because they were small and nimble when OTA capabilities first became
> feasible.

I think Tesla have done well for another reason: they are strictly a software
engineering company that just happens to make cars on the side. Tesla could
easily port their software to any other existing car (Autopilot, mobile app +
services, touchscreen OS), but then the Tesla cars would be just another bland
electric car offering much like the others. It's the software that defines the
Tesla experience, and that's why they have focused on cybersecurity since the
beginning.

There certainly were some fun hijinks on the way I'm sure, like the engineer
whose NDA expired and explained that the way OTA was done on the first batch
of Model S was to have a massive bash script ssh into each car and run apt-get
or a similar command.

~~~
perl4ever
>that's why they have focused on cybersecurity since the beginning

That sounds to me like a voting machine company saying they've had antivirus
software on their machines since day one. "Strictly speaking, it's better than
the alternative..."

------
Scoundreller
Some Aussie brewers got hit over the past 24hrs too:

[https://www.smh.com.au/technology/drinks-giant-lion-hit-
by-c...](https://www.smh.com.au/technology/drinks-giant-lion-hit-by-cyber-
attack-as-hackers-target-corporate-australia-20200609-p550pu.html)

------
rootsudo
Fun Fact: Ekans backward is snake.

~~~
Ftuuky
Ekans is also 1st generation pokemon

~~~
tomashertus
Poke-what?

------
jaquers
Hope it doesn't infect the thinly papered over Android based "OS" on my car's
dashboard.

I authorized the car to my home's WiFi in hopes that there would be updates.
Instantly regret. :/

Do I dare even turn it on now?

~~~
Red_Leaves_Flyy
Block internet access from your car at the router if you're that worried about
it.

~~~
numpad0
Adversaries can leverage telematics(free Linux box and LTE module that works
like Google Analytics for manufacturers) module or passenger’s phones

~~~
Red_Leaves_Flyy
If that's an actual, founded concern, in your threat model then you should not
get in any vehicle with an ecm, nor have a consumer cell phone. I suppose if
you strip out the wireless com module may negate most issues, however your
vehicle would still be susceptible to various other attack vectors that you
won't have in purely mechanical vehicles.

------
safeworld2
The only solution is that Industrial networks must be physically isolated from
the internet.

~~~
GEBBL
The power plant at Natantz in Iran was physically separate. Zero Day is a
great documentary on that attack.

~~~
deathgrips
You mean the stuxnet attack?

~~~
GEBBL
Yep, that’s the one

