How to Protect Your Fleet From Car Hacking

 In Fleet Management

A defining component of modern vehicle technology is connectivity. GPS tracking & navigation, Bluetooth, Wi-Fi, telematics and in-vehicle security each provide conveniences too powerful to ignore—but connected, high-tech cars also create multiple access points for hackers.

Over the last five years, a number of white-hat hackers have endeavored to convince carmakers to take this threat seriously, proving time and time again that connected cars pose risks as well as rewards.

Carmakers are exploring a number of root-level defenses that don’t just block unwanted wireless access, but also protect firmware code from being altered by anyone but the manufacturer.

Unfortunately, none of these approaches have yet been universally embraced or field tested. Even once they are, it’s still possible that the most intelligent security systems could be vulnerable to an easy-to-guess password, an unlocked car door, or an unencrypted network.

In this article, we’ll be taking a look at some best practices to help protect your fleet from the threat of car hacking.

Want more content like this? Subscribe to our newsletter and we’ll send it right to your inbox.

virginia_state_police_car

A hacking team recently demonstrated the ability to hack Virginia State Police vehicles.

The Essential Preventative Measures

Earlier this year, the FBI and NHTSA outlined four basic tips to protect your vehicle from hacking:

  1. Ensure your vehicle software is up to date
  2. Be careful when making any modifications to vehicle software
  3. Maintain awareness and exercise discretion when connecting third-party devices to your vehicle
  4. Be aware of who has physical access to your vehicle

To the average driver these tips may be sound advice, though individuals have not yet been targeted for vehicle hacks.

For fleet managers though, preparing for the worst-case scenario is part of the job—and it’s only a matter of time before government, corporate and small business fleets become prime targets for enterprise hackers.

Let’s take a closer look at these recommendations from a fleet perspective.

Keeping Vehicle Software Up-to-Date

Ten years ago, if a carmaker became aware of serious flaws in one of its vehicles it meant a costly recall that would force owners to (eventually) visit a dealership. This isn’t workable in the digital age. (Imagine if smartphone owners were forced to visit a retailer every time a manufacturer issued a security update!)

Thankfully, most modern vehicles allow for remote firmware updates that patch security threats within days or even hours of their discovery. This is more or less how all internet-connectable electronic devices work nowadays. Just as with your computer, tablet or phone, keeping your software up to date is the most important step you can take to foil potential hackers.

Limit Physical Access

The simplest and most powerful way to hack a computer almost always involves direct physical access. In many cases, all it takes to hijack a system is a thumb drive and a USB port. A white hat hacking team was recently able to take control of a vehicle simply by inserting a corrupted CD into the car’s stereo. Diagnostic ports can also be a vulnerable gateway for malicious code.

As carmakers improve their software and beef up security for wireless entry points, physical access and social engineering are likely to become the methods of choice for vehicle hackers. Social engineering is a process by which a hacker gains access to secure systems by psychologically manipulating authorized users to divulge passcodes or otherwise leave the system exposed.

Employee training and strict access rules are the best defense against these two powerful but low-tech hacking tactics.

  • Employees should avoid leaving vehicles unsupervised with individuals not trusted by the company.
  • Remind drivers to never leave the car unlocked and unattended—especially in an unsecured area.
  • A fleet might also take extra steps to secure its lot overnight, such as installing motion-activated security cameras or biometric access points.

For electric vehicle fleets, these security measures are a good idea anyway, since charging station wiring is a common target for metals theft.

Telematics Security

clipping-in

In 2015, a group of researchers hacked a 2013 Chevy Corvette by exploiting a telematics dongle installed to record insurance data. The product’s cellular connectivity—which shouldn’t be capable of controlling the vehicle in any way—was used implant malicious code in the Corvette. That gave the research team the access it needed to control the car via text messages.

Leading telematics providers are at various stages of implementing security features that protect their products and the cars they monitor from hackers. Be sure to ask any provider to explain its data security strategy and research its reputation and track record. With the right software, a telematics dongle should be as or more secure than any of the other wireless ports of the vehicle it’s attached to.

Here is an example of some of the security features that FleetCarma provides:

  1. End-to-end data encryption—especially of in-transit data that might otherwise be vulnerable to interception.
  2. “Hardened” devices that block any incoming connections that don’t carry an encryption key. Some less-expensive Bluetooth dongles can be connected to by any phone. Look for a device that only allows a connection from a single specific communications channel.
  3. A custom, proprietary operating system essentially forces hackers to learn a language before searching for vulnerabilities. Common operating systems like Linux—which is used as the basis for Tesla’s computer systems—are known to almost any hacker. If a telematics dongle’s firmware hasn’t been updated, there’s a good chance a hacker will quickly be able to find an exploit using a simple Google search. Proprietary systems require a custom hack, which in most cases won’t be worth a hacker’s time.
  4. A built-in firewall that can recognize and alert administrators to any incoming connection attempts can stop a hack by blocking or detecting suspicious activity.
  5. A top-notch, secure database platform like Microsoft Azure will have its own standards, firewall, and extensive security safeguards to protect information after it’s been collected.
  6. The option to turn off GPS monitoring during transmission of sensitive data can also be a desirable feature for some clients. Not all telematics providers offer this, so be sure to ask if there are certain driving patterns you absolutely can’t afford to have compromised.

Looking for a secure fleet telematics platform? Let’s talk.

Preparing for Tomorrow’s Security Threats

driverless_car_

With autonomous cars on the horizon, secure vehicle connectivity will only become more important.

Cars were once a pure expression of our control over machine. But whether it’s climate control, continuously variable transmissions, automated parking or accident avoidance features, consumers have embraced a new kind of freedom: the freedom to get more out of their vehicles while reducing distraction and safety risks.

Each technological advancement that nudges cars closer to full autonomy cuts into the 30,000 or more accident-related fatalities reported in the United States each year—not to mention the stress and lost productivity associated with driving.

To date, there have been no reported malicious vehicle hacking incidents resulting in injuries or fatalities. Nevertheless, even the most cutting-edge car companies have failed to produce connected vehicles that are impervious to hacking.

In truth, there’s no such thing as a fail-proof digital security system. But by knowing and implementing best practices, fleets can reduce security risks by orders of magnitude, discouraging hackers and sending them hunting for easier targets.

Looking for a secure fleet telematics platform?

Enter your details below if you’d like to chat about how we can help keep your vehicle data safe.



Subscribe for EV Content

Get the weekly Newsletter wrap-up of EV tips, trends, and best practices.

Recommended Posts