Expert Panel: Security and Hacking
Cyber security concerns are increasing as the fleet industry embraces greater connectivity. GreenFleet and our inaugural expert panel examine the latest cases of vehicle telematics hacking and how the industry is reacting to address the growing concern.
Most modern vehicles, particularly electric and plug-in hybrid vehicles, have a remote telematics system, which enables the driver to carry out a range of functions with speed and ease. Telematics is becoming popularised across the globe, and nowhere more so than where large fleets are being used.
Businesses are being encouraged, and in some cases legally forced, to monitor, examine and lower the fuel consumption of their fleets. This is where telematics influences the running of fleets – increasing fuel efficiency and identifying potential cost savings.
Telematics also assists with journey logging, vehicle health (mileage, battery conditions), collision detection and driver behaviour. Research group Gartner has predicted that by the end of the decade, some 250 million vehicles will be directly connected to the Internet, putting weight behind the opinion that vehicles are fast becoming technology on wheels.
However, with each technological advance, the chance of risk grows, and unlike technology in computer hacking – the effects can be physical, if not more dangerous. And this is not something that the industry is unaware of.
Martin Kadhim, Lightfoot Partnership director, addresses his company’s concerns to the latest hacking capabilities, by saying: “We are very aware that there are people out there targeting all kinds of connected devices and we are very mindful of the need to provide customers with a reliable and secure product. Custom telematics solutions can be effectively locked down from unauthorised external access with careful security planning.”
Recent media publicity
However, if companies remain oblivious, ignorant or uninterested in the threat of telematics hacking, recent examples should refocus attention. This month, it was revealed that the Mitsubishi Outlander PHEV was vulnerable to hacking that could disable the security alarm via the on-board Wi-Fi. The Japanese car manufacturer discovered that its unusual method of connecting the mobile app to the car left it exposed and unprotected.
According to Pen Test, the computer security consultants who undertook the tests, most remote control apps for cars work using a web service hosted by the manufacturer on their service provider. Users can then connect to the vehicle using GSM to a module on the car, enabling drivers to communicate with the car from virtually anywhere over mobile data.
The Outlander, however, uses a different system whereby there is a Wi-Fi access point on the vehicle. Pen Test said this design is probably manufactured differently to most in order to save on production costs, but unfortunately carries some serious security issues. During investigations, Pen Test were able to hack the car and successfully turn the lights on and off, as well as the air conditioning and the heating, which can be used to drain the battery. Additionally, the testers were able to manipulate the charging programme, forcing the car to charge up on premium rate electricity.
Possibly a more worrying revelation was that the testers were able to geolocate Outlanders through their unique SSIDs, meaning thieves or hackers could easily locate a car that is of interest to them. The testers also managed to disable the theft alarm which they described as ‘shocking’ and said ‘should not be possible’. Should this be as concerning as it sounds, or is the Outlander PHEV hacking a wake up call to address security weaknesses?
Worryingly, Mitsubishi were not the first high profile and publicised hacking case, but merely the latest in a growing trend. Last year, security experts Charlie Miller and Chris Valasek, alongside Wired magazine, demonstrated how they could hack into a Jeep Cherokee and control its most vital functions. They did this simply using a Kyocera Android smartphone as a Wi-Fi hotspot connected to a MacBook laptop. The industry should be concerned about the minimal amount of technology that was required to overcome the car’s systems.
Nick Walker, RAC Telematics managing director, said: “Any form of security breach should be a concern to the industry. Hacking in our sector can be both at the platform part of the solution where data is stored, or more recently what we have seen is hacking into vehicles through connected car or telematics system. We, as like any telematics provider, have an obligation and responsibility to prevent hacking at any level.”
Testing your luck in a truck?
In GreenFleet 93, we looked in detail at the self-driving truck platoons that were trialled in Europe in April, focusing upon the environmental benefits and the possibility of platoon projects becoming a mainstay on British roads. One aspect of the technology that we didn’t consider at the time is the cyber security threats that may feature more regularly. While there are no serious examples of long-haul truck hacking, it would be foolish to think that new technologies did not bring new risks.
Companies that operate long distance truck fleets are more in need of gadgets than most. Saving fuel is profitable, combatting fatigue is imperative and monitoring general driving behaviours is popular. With each new device, the surface area of hacking capability increases. Hacking of a truck could do as little as disrupt delivery timings, to much more like stealing data or controlling the brakes and shutting down the vehicle with an aim of hijacking. Each disruption is an invasion of privacy, a danger to the driver, and a risk to the company.
Yon Copitch, managing director at Traffilog, explains: “Telematics has understandably raised many moral questions about privacy. Telematics doesn’t equal an end to privacy. There’s no link between a telematics provider informing companies on their drivers’ habits, to the government knowing your whereabouts, or your partner finding out about an affair.
“Telematics is increasingly common in commercial fleets, looking to save money on fuel, accident reduction and efficiency. The immediate danger of hacking is for the devices that are not installed and are plug and play devices with mobile applications to monitor the data. Hackers are targeting smartphone technology and telematics companies will need to be increasingly vigilant when introducing smartphone apps to report on fleets.”
Spanish security researcher Jose Carlos Norte wrote a detailed blog post in March analysing how he was able to find thousands of vulnerable telematics units using a scanning software engine called Shodan that scans, and exposes, Internet-connected devices.
He said: “Anyone can connect and interact with the device. But what really scares me is that it’s connected to the CAN bus (the vehicle’s internal controller area network) of the vehicle. These are big vehicles with a lot of mass, and having an attacker manipulate the CAN bus to make one stop in the road would be super dangerous.”
Norte added: “It is possible to monitor and control float trucks, public bus or delivery vans from the Internet, obtaining their speed, position, and a lot of other parameters. You can even control some parameters of the vehicle or hack into the CAN bus of the vehicle remotely.”
The Daimler Highway Pilot Connect system, which uses a Wi-Fi-controlled platooning system to save fuel, is claimed to contain tight security protocols. Daimler is among a group of leading truck manufacturers arguing for new connected trucks to be built ‘from the ground up’ so as to use a single, fully integrated platform.
So is your vehicle only as safe and secure as the gadget you are connecting it with? Annie Reddaway, project director at TU‑Automotive, says that hacking capabilities are a high priority that need addressing.
She commented: “A lot of work is being done to convince companies from within and without to invest in cyber security and software management. Risk is currently relatively small; few connected cars are on the road and there are few financial incentives for hackers to go after cars. But it is the technology being worked on now to be rolled out over the next few years that manufacturers are concerned about.
“There’s also a recognition of the need to make the entire supply chain aware that they need to design and build in cyber security. The big challenge is that the hacking threat is always evolving, so it’s a case of not only securing systems for today’s threats but also for unknown future threats that haven’t even been developed yet.”
The Society of Motor Manufacturers and Traders (SMMT) has said that more than half the cars sold in the UK in 2015 – some 1.5 million – had Internet‑connected safety systems. The number of gadgets and applications available to vehicle manufacturers is increasing at an alarming rate, with most cars having between 50 and 60 computers on board. Sensors in the engines to monitor performance and emission outputs, video technology to assist with parking and collision avoidance and even awareness systems to help tackle driver fatigue – each individual gadget informs the driver, and in some cases their insurance company or fleet operator, how they can become safer drivers, more fuel efficient, conscientious or even simply slower on the roads.
Every time that you add complexities to the make‑up of the vehicle, you conversely make it easier to digitally gain access. The more systems, the more areas to exploit. Vehicles contain dozens of electronic control units and an excess of lines of code, that are used to control brakes, wipers and steering – among others. This is before the Internet is taken into account.
A report by the Software Engineering Institute at America’s Carnegie Mellon University, titled On Board Diagnostics: Risks and Vulnerabilities of the Connected Vehicle, examined the situation in March this year. The report dictates the common architectural issues with devices, threat modelling and recommendations to limit the risk of cyber attack to your vehicle.
In the report, Dan Klinedinst and Christopher King examine the threat posed by OBD-II ports. It says: “With the advent of the smartphone revolution and increased miniaturisation, startups and existing vehicle aftermarket manufacturers have developed devices that attach to the on-board diagnostic (OBD-II) port that is present in all modern cars (OTAQ, 1996). This port has traditionally been used by mechanics to download diagnostic data and run tests, but there is a market emerging to allow car owners to access the same data via their mobile device or even over the Internet. These OBD-II ports provide raw access to the CAN bus, potentially allowing direct manipulation of CAN traffic in the vehicle.”
It is important to remember that every company will address concerns differently, and Annie Reddaway uses the American model to demonstrate this. She says: “Individually, companies have different approaches. Some are buying up start-ups (such as Harman’s acquisition of TowerSec), some are building up cyber security teams, some are disseminating experts throughout different departments, most are also bringing in third party help from researchers and consultants.
“In the USA, the industry is working closely with the government (DOT, NHTSA), to bring in standards and legislation. They have also set up an Auto-ISAC (Information Sharing and Analysis Center), which involves all key automakers working in the USA, and soon will include Tier 1 suppliers too, which is an unprecedented level of collaboration within the industry. Through the ISAC, members can share any vulnerabilities, risks and information.”
Nick Walker believes that hacking capabilities need to be given appropriate priority – more than it is currently receiving.
Discussing his personal intention to address the issue, he said: “Data security is a top priority for us as a business generally and within the telematics team. We are entrusted with customer data and have a responsibility to ensure that trust is not broken. All elements of our solution are rigorously tested against hacking threats and risk before they are deployed into customers’ vehicles.”
Another recurring response to hacking concerns is the need for collaboration. In January, the US Department of Transportation urged the automotive industry to share information and work with researchers to tackle potential car hack attacks, while the National Highway Traffic and Safety Administration set out safety principles for the year. A number of major manufacturers signed up to the principles, including Volvo, Ford, Mercedes-Benz and General Motors.
When we asked Martin Kadhim about collaboration, he suggested that safeguarding is essential. He commented: “Ensuring we have in place the necessary safeguards to keep our customers’ data and equipment secure is an absolute top priority and will remain central to everything we do with the product both now and in the future.”
He continued to discuss the necessary improvements to standards: “Transfer of non-encrypted sensitive data and a lack of safeguards stopping unauthorised remote access to equipment appear to be the leading weaknesses in network‑connected devices such as telematics devices. Improvements such as desensitisation, SSL encryption, and closure of unsecured ports are the first steps to adherence to standards such as ISO/IEC 27001:2013 and the heightened requirements of the European General Data Protection Regulation.”
This belief also formed part of Nick Walker’s view of how the industry can combat the issue, assuring that standards need higher importance. He said: “There are standards in place for security, but standards alone are not sufficient. As technology develops, so does hacking. We at the RAC run penetration tests on a regular basis to look for any weaknesses and immediately address any identified risk.”
In the UK, BT offered a hack testing service, called BT Assure Ethical Hacking for Vehicles (AEHV), in a bid to bring its ‘expertise’ to the growing connected car industry and to help protect vehicles from cyber threats. BT AEHV probes access points on a vehicle, including wireless and mobile connections, navigation equipment and entertainment systems.
Hubertus von Roenne, vice president for global industry practices at BT Global Services, said: “Vehicles are now connected devices, confronting manufacturers and suppliers with a whole new world of security challenges. We use the expertise and knowledge of our ethical hacking consultants to identify these vulnerabilities before others do.
“The proliferation of these technologies raises concerns about the ability of hackers to gain access to and control of the essential functions and features of those vehicles and for others to use information on drivers’ habits for commercial purposes without the drivers’ knowledge or consent. Security and integrity of data is of critical importance to prevent unauthorised access or remote hijacking of a vehicle.”
Another area of comfort should be that hacking is not a new threat. Although relatively unknown in the fleet industry, other sectors have experienced and overcome remote attacks. Ethical hackers, those who have the knowledge of criminal hackers but with the intention of working against the crime, help to identify vulnerabilities and insightful workings that can be crucial in prevention.
It is also important to remember that the high publicity hacking cases that grabbed media headlines were undertaken by researchers who dedicated a lot of time into their operations. The researchers were there to expose vulnerabilities, not take advantage of them. The hacking that has taken place is a warning, a complication, and a threat, but not a disaster. While the threat of illegal, intentional and harmful hacking is a long-shot, which some might deem hypothetical, the alarming speed at which new technology is being produced, imported and manufactured in cars should be cause for concern.
This understanding is shared by Annie Reddaway, who says that: “To date, hacking has not been for malicious intent but to raise awareness of the issue and has been carried out by security researchers open to working with the industry. The likelihood of a breach is currently relatively small but the consequences are huge for driver safety, privacy and for businesses too. The less reported part of automotive cyber security is software integrity – any errors here could have a dangerous impact if it affects vehicle functionality and safety.”
The technology would have one day been labelled as hypothetical, but now is integrated in every vehicle, on every dashboard, in every brake system and under every bonnet. The accessibility to hack technology will soon catch up, and the industry must be ready to plug the holes it is beginning to see. The speed at which the industry intends to make vehicles more intelligent must not compromise the speed at which they ensure safety. The industry has seemed reluctant to discuss vulnerabilities, but surely it is only a matter of time before that changes.
Expert final thoughts
"The industry can and must improve its security and the threat of hacking by sharing their experiences and working together to provide security against the risks. It is important to the industry as a whole as any potential hack will create a fear and loss of faith from the users of telematics which will result in a detrimental public relations across the industry."
"Standards should apply across all potential hacking risk areas and include regular checks, and dictate how those checks are run. As telematics develops to include more sophisticated devices, data feeds and apps, standards need to develop to keep pace as well as ensure customers can have faith in the technology. The RAC has even run penetration tests on its recently released smartphone apps, for example, to maximise protection of customer data. The reality is you would think each provider is hyper-sensitive to any potential data breaches as without that high level of protection, they are not likely to keep customers for long if they do suffer a hacking issue."
"Lightfoot would welcome a more collaborative approach from the industry including, for example, an open discussion and the agreement of a set of industry wide standards. This should apply not only to security concerns but to the whole issue of data collection, storage and sharing to ensure fair and transparent policies for all our customers."
"The industry is still looking for a car‑specific solution that fits the product’s specificity, development and lifecycle. Over-the-air update capability is one that is looked to as a way of delivering security updates, like for your computer or your phone, and many automakers and looking to implement this. But the industry is definitely starting to take steps in the right direction, and many were already being taken behind the scenes before high profile hacks hit the headline. The industry just needs to be more open and collaborate as much as possible."