One of Elon Musk’s top concerns is about a fleet-wide hack of Tesla cars. Connected cars create an attack surface that attackers can exploit by accessing the vehicle’s Controller Area Network (CAN). The ramifications of a remote attack on a single car can be critical, but on a whole fleet, it can have disastrous consequences. In this post, we will explore the main risks of car hacking and how to prevent an attack.
The Dangers of Car Hacking for Fleets
In 2020, 30 million cars were sold globally, and the number of total connected cars is expected to reach 115 million in 2025.
The digitalization of car systems is an unavoidable stage of vehicle automation, connectivity, and shared mobility. As such, modern cars may have over 100 million lines of software code, which shows the sophistication of car computers. Unfortunately, that also means more cybersecurity risks. The increasing number of connected cars provides attackers with a wide surface of opportunities to hack cars.
- In the UK, the National Police Chief’s Council (NPCC) reported a 3.1% increase in vehicle crime as of June 2021, with a large percentage of it coming from keyless theft. That means remote attacks using relay technology that allow attackers to get a signal from the key inside the house and transfer it to a device they’ll use to unlock and drive the car.
- In 2017, Hyundai reported that the Blue Link app had a vulnerability where hackers could enter via insecure Wifi, get user information and start a car remotely.
- In the UK, in March 2021, attackers hacked and stole a Range Rover using a wireless device. The device received a signal from inside the car owner’s home, deceiving the car into thinking it was the owner starting it. The thieves entered the vehicle with no problem, started it, and drove off.
Car hacks involve not only the risk of theft but also using the cars to launch remote attacks.
Common threat vectors and risks in connected cars
Imagine some of the potential scenarios: An attacker may carry out a DDoS attack on a transport system, overwhelming car communications. Another attack may involve a hacker remotely unlocking luxury cars on a fleet, disabling the alarm, and stealing it.
Car attacks can be inconvenient or outright dangerous. For instance, imagine you are driving along the highway and the steering wheel moves by itself, or the car stops in the middle of the fast lane.
Some of the threat vectors connected cars face may include:
- Vehicle telematics: a hacker can disrupt telematics and carry a man-in-the-middle attack.
- SMS API: attackers can use the SMS API to send commands to the device.
- Mobile API: they can attack mobile app vulnerabilities that give access to car systems.
- Entertainment system: hackers can use multimedia files to change the code on the car system.
- Wireless media: hackers can exploit vulnerabilities in wireless channels, using them to bypass permissions.
- External Sensors: an attacker can infiltrate external sensors and control the vehicle.
- Wireless key entry: hackers can gain access, unlock and lock the car.
- External device access: allows hackers to access the car’s internal systems
- Cloud service of automotive provider: could enable the hacker to attack many cars or escalate the attack on the cloud provider.
There is, without doubt, a wide range of risk vectors for connected cars. Therefore, it is important to implement best practices and tools to prevent attacks. In addition, new UN and EU regulations entering into effect in 2022, that put the focus on achieving a baseline standard of cybersecurity protection from the design process and updating current cars.
How to make the right turns
There are ways manufacturers and fleet owners can protect their cars from cyber attacks. Below, we outline 4 recommendations:
Reduce the attack surface
This recommendation is geared towards manufacturers. The increasing number of remote entry points on car systems expands the attack surface and increases the possibility of an attack. Manufacturers should work on consolidating remote entry points by leveraging fewer and more comprehensive solutions. To achieve this, organizations can carry out threat modeling exercises. This will help them detect potential weaknesses in the system’s endpoints.
How does this affect a fleet owner? Fleet owners can reduce the attack surface of their connected cars by implementing a comprehensive cybersecurity solution for cars. A solution like Upstream protects the entire car network by creating an encompassing security layer.
Embrace a security-first approach
Baking security into the design is one of the key principles of software engineering. However, the automotive industry is still behind in the adoption of this approach. Automakers need to start designing with cybersecurity in mind from the start.
Patch often and early
For fleet owners, embracing a security approach implies, first, keeping the systems updated. As soon as your connected cars are due for a software update, do it as soon as possible. An out-of-date system is a serious risk that a hacker can exploit.
Your vehicle control center should be aware of potential vulnerability alerts, patches, and updates from vendors and implement them right away. To achieve that, it is important to create a security awareness culture, ensuring that everyone knows the cybersecurity risks, and how to prevent them.
Keep databases protected
Any car system stores a large amount of sensitive data, on driver information, fleet type and systems. Whether you have custom-built software, use a boxed solution or a cloud-delivered system, the data stored in those databases are like a gold mine for attackers.
Hackers can use this information to disable your fleet, hold it for ransom, or use it to attack other vendors or customers across the supply chain. If your fleet falls victim to an attack, recovering the data to get back into business can be a long road if you don’t have solid backups. You can protect the database by isolating it (keep an on-premises, not connected copy) or a duplicated server in another geographical location. This will help you recover the data and get back on track faster. Implementing access security as multifactor authentication or single sign-on keys can help limit access to databases.
How A Cloud Solution Can Protect Your Existing Fleet
To protect your car fleet from cyberattacks, you need to implement protection at the car and at the network levels. Doing it by installing protection software in each vehicle can be extremely costly to deploy and update.
A cloud-based solution can protect your fleet without requiring installing new software in the vehicle. Upstream provides end-to-end protection to each vehicle in the fleet and also, at the network level. By leveraging machine learning and the latest cybersecurity algorithms, Upstream secures the technology and applications of connected vehicles, encrypting the data and monitoring the entire fleet ecosystem, detecting anomalies and alerting about real-time incidents, providing complete visibility and control over automotive cybersecurity.