How Easy is it to Hack a Utility Fleet Vehicle?
According to the National Highway Traffic Safety Administration, hackers may be able to access a vehicle’s systems via a phone or tablet connected to the vehicle by USB or Bluetooth. The vehicle’s diagnostic port is another access point.
But a vehicle’s biggest vulnerability may be behind the wheel. According to a November 2016 blog post published by Promon (see https://promon.co/blog/tesla-cars-can-be-stolen-by-hacking-the-app/), a Norwegian firm that specializes in app hardening, the company’s researchers demonstrated just how easy it is to trick a Tesla driver into giving a hacker access to the car’s systems. Tesla, like many vehicle manufacturers, offers a remote app that allows the driver to unlock the vehicle. During the experiment, Promon employees:
• Created a free Wi-Fi hotspot.
• Developed an ad for Tesla drivers that offered a free hamburger at a local restaurant if the driver downloaded a particular app.
• Used the app to gain access to the Tesla driver’s username and password.
• Located the car and used the Tesla app – and the previously captured username and password – to access the vehicle.
• Drove away in the Tesla.
Get Ahead of the Curve
When UFP spoke with Matt Gilliland, director of transportation and facilities for Nebraska Public Power District, he indicated that cybersecurity in vehicles was not historically a fleet management “care about,” but change is definitely on the horizon.
“The connectivity of our fleet is very limited,” he said, before noting that NPPD uses telematics and GPS intelligence, and that the fleet contains a limited number of new vehicles with Bluetooth capabilities. All of those are potential entry points for hackers and cyberattacks. In 2016, 3.6 million vehicles were recalled to fix cybersecurity issues; that figure is double the number recalled in 2015, according to the NHTSA, and this comes before vehicle-to-vehicle and vehicle-to-infrastructure connectivity has really taken off.
“Technology grows and advances so fast that a lot of utilities and fleets are going to find themselves behind the curve,” Gilliland said. “I think it’s going to be a significant concern and will maybe catch a lot of us unaware.”
Tony Candeloro, vice president of product development and client information systems for ARI (www.arifleet.com), a privately held fleet management company, agreed. “While hacking and cybersecurity may have not been at the forefront in terms of concerns facing fleet managers, it will become increasingly important to have policies and processes in place that help prevent hacking incidents, especially when it comes to vehicles with telematics and other data collection devices,” he said.
Although new vehicles may have more potential hacker entry points, Candeloro noted that any vehicle with an OBD-II port is vulnerable. And as more and more enhancements are introduced, the cybersecurity issues multiply.
“Today’s vehicles are extremely sophisticated computers that are running millions of lines of code – many of which are susceptible to hacking,” said Dennis Straight, chief technical officer at Donlen (www.donlen.com), a fleet management solutions provider. “Especially vulnerable are systems accessible from a vehicle’s Wi-Fi, Bluetooth or entertainment systems.”
Argus Security (https://argus-sec.com/), an automotive cybersecurity firm, has identified vehicles they believe to be most susceptible to cyberattacks. The commonality between them? All of the vehicles have weaknesses related to Bluetooth and/or Wi-Fi capabilities.
These are particularly susceptible “by either providing a potential attack point or the limited security provided by most infotainment systems,” said Scott Goodwin, senior IT security and compliance administrator for Donlen. “Wi-Fi connections on vehicles are limited by the security available on the hub and the password used to connect to the Wi-Fi. Once connected to the Wi-Fi, the hacker can then attempt access to connected devices, which may provide the ability for data access/manipulation.”
An Appealing Target
Fleets make an especially appealing target due to their size – and the hacking-related possibilities are seemingly endless. Car and Driver (www.caranddriver.com) anticipates that ransomware may prove to be a particular problem. A hacker can use ransomware to gain access to a computer system and hold it hostage until the hacking victim pays a sum of money. Using ransomware, hackers have the ability to do anything from locking drivers in or out of their vehicles to freezing a vehicle’s ignition.
In many ways, preventing cybersecurity issues in vehicles is much the same as protecting a laptop from hackers. It takes a combination of technology development, government intervention, good corporate policy – and savvy users.
“The current telematic devices we use for utility fleets only provide outbound communications, which prevents hackers from sending requests for data or updates to the vehicle,” Goodwin said.
Candeloro stressed that it is vital to keep all software up to date. “Fleets should also train their employees on how to spot security threats,” he said. “It is incredibly common for hackers to try to trick people into installing malware by sending fake – but very convincing – emails recommending phony software updates or other reasons that compel them to click links or download things that are dangerous.”
And know who has access to the vehicles’ computer systems, including that ODB-II port, Candeloro continued. Fleets should have “a clear policy regarding technology within your fleet and train employees on that policy and on what to look for in terms of possible cyberthreats,” he said.
For now, serious hacking threats haven’t materialized in vehicles, but that is likely to change. “As computers and technology are given more power within the vehicle, the opportunity for those systems to be manipulated also expands,” Candeloro said. “Fleet managers should stay alert to the kinds of technology being deployed within their fleet.”
About the Author: Sandy Smith is a freelance writer and editor based in Nashville, Tenn.