Security has become an increasing risk for fleets with the rise of connected vehicles—vehicles with internet connectivity and onboard sensors to optimize their own operation and maintenance. As technology advances and becomes more complex, we must take greater precautions.
Electronic control units (ECUs) are computers inside vehicles that control a majority of functions including steering, braking and lights. Wireless connections also control numerous functions like unlocking the vehicle, starting the vehicle and diagnostic monitoring. These are all potential entries of attack.
Vulnerability to attack increases as additional devices are connected to your vehicles like a cell phone or tablet via Bluetooth, Wi-Fi and USB, or a device connected through a diagnostic (OBD-2) port.
All of these connections are points of entry through which an attacker can gain access to the vehicle and download stored data or control critical systems.
It’s important to be aware of these vulnerabilities and take precautions to connect only trusted devices and use secure networks.
Once attackers gain access into one vehicle system, they can quickly access them all. Vehicle systems are the backdoor to business systems. If your vehicles are not secure, your business is not secure.
Fleets are at an even higher risk because it’s easier to hack a group of the same vehicle than an individual vehicle.
In a 2015 study, IOActive Director of Vehicle Security Research Chris Valasek and Twitter Security Researcher Charlie Miller demonstrated just how much control an attacker could gain over a vehicle.
Using code, the team took control of a Jeep Cherokee using three different entry points—the MP3 parser of the radio, the Bluetooth stack and the telematics unit.
Valasek and Miller discovered additional ways an attacker could access the vehicle including:
- the vehicle Wi-Fi network through either (1) cracking the passcode or (2) gaining access to a device that was paired to the network
- using a USB with a malicious software update
Both of these methods require physical access to the vehicle or ability to join the Wi-Fi hotspot.
The team determined that all attack methods, however, are not limited to just the physical proximity to a vehicle. An attacker could make a cellular connection to the vehicle’s cellular carrier from anywhere in the U.S. and perform exploits via an IP address.
Valasek and Miller consider telematics systems “the holy grail of automotive attacks” since the device range has a broad range of cellular communication channels an attacker can exploit. These devices can transfer data to another remote location and do so anonymously.
Through their efforts, the researchers were able to shut down the target vehicle’s engine, disable the brakes, manipulate steering and control the door locks, turn signal, radio and GPS.
Valasek and Miller demonstrated the holes in security of connected vehicles and the need for greater precautions.
As a result of this 2015 report, almost 1.5 million vehicles were recalled to address the identified vulnerabilities.
As vehicles become more advanced and the fleet industry becomes increasingly reliant on technology, there will be added fleet security risks. You do not want to wait until an attack to discover there are holes in your vehicle security.
This article was originally published in ThreatAdvice Cybersecurity Journal.
