Q&A: How Hackers Can Exploit Fleet Vehicles

If you're still think of cybersecurity in terms of withdrawal-of-service or ransomware attacks, you're in for a shock. Software defined vehicles and insecure APIs and mobile services have opened new attack vectors for the bad guys to exploit. And they are doing so enthusiastically.

There has been a 20% increase in the number of vehicles being attacked through API's in the past few years. A single incident can now affect thousands of vehicles.

The threat is real, and it will have a huge impact for fleets, not only financially, but safety could be impacted as well.

HDT Equipment Editor Jim Park spoke with Upstream Security's vice president of North American operations, Haim Kantor, about these emerging threat vectors, and the hazards they pose if they are allowed to proliferate.

This Q&A features highlights from a recent episode of HDT Talks Trucking.

This interview has been edited for brevity and clarity.

HDT: Can you give us a sense of where we are today with automotive cybersecurity?

Kantor: We've reached an inflection point. The number of cybersecurity incidents grew over the past five to seven years by 400%. But we're moving away from just talking about number of incidents to looking at the impact of the incidents.

By that I mean how many vehicles could be impacted by a single security incident, and what are the operational and financial impacts? Depending on the nature of the hack, the attack vector, and it's intended consequences, a hack of a single vehicle could have fleet-wide implications. So now we go from one vehicle, to maybe dozens or hundreds, or even thousands.

The motives for these attacks vary, but usually it's financial. Since the Russia-Ukraine war, there's also a geopolitical component. But the new thing we're seeing is people hacking through cybersecurity in their own vehicles so can they avoid paying for premium services.

HDT: Is this a case where the vehicles, or some technology on board the vehicle, facilitates the attack, gives the hacker some pathway into the vehicle?

Kantor: Yes. One of the reasons we see more attacks on fleets is because there are more and more new vectors with which to attack a vehicle.

In the past, you really needed to understand deeply how vehicles work. If you wanted to attack the internal elements, an ECU or a TCU, you really needed a lot of knowledge about cars. But the trend today is attacking the vehicle through APIs (application programming interface).

About 20% of attacks now are based on APIs or mobile services — the ones that are running the fleet. You don't need to know anything about a vehicle. Instead, you find a vulnerability within an API. In the OWASP world (Open Web Application Security Project), almost all of the top 10 attacks are applicable to the vehicle world. The Orbcomm attack for example. That ransomware attack was done purely through an API attack.

HDT: So, in that case, the attackers went after Orbcomm, but the impact was felt by fleets using Orbcomm products. That raises an interesting question: How can fleets ensure their suppliers have taken appropriate upstream precautions?

Kantor: This will require a lot of education. The fleet owners and managers need to be asking questions to make sure that their fleets are safe. They need to say that one of the requirements is to make sure their suppliers have that security in place.

HDT: Here's a scenario; tell me if this is possible: Some truck brakes can now be applied through the electronics onboard the truck. Is it possible that if somebody got hold of the right code, they could start applying brakes on individual trucks or fleet-wide?

Kantor: Yes, they can. I'll give you an example. It's not a truck, but in agriculture. During the earlier stages of the Russia-Ukrainian war, John Deere was able to take over their vehicles and remotely use a kill switch to disable the equipment. The same thing could happen with an attack that presses that "kill switch" on a truck.

HDT: Could you give some other examples of these sorts of attacks that have actually happened?

Kantor: Let's start with an attack that we saw early in 2022. David Colombo [a self-described tech security specialist] was able to access 25 Tesla cars around the world. That's 25 cars in 25 different countries. He was able to connect to the cars through an application that was not provided by Tesla, but Tesla endorsed the application.

Through that app, he was able to blow the horn and roll the windows up and down. That sounds amusing, right? But think about a truck driver, driving at 70 mph on I-95, and his window starts opening and closing and is horn is blowing. That could really be dangerous.

In September 2022, hacker/researcher Sam Curry decided he wanted to try hacking a car. He knew nothing about cars, but by November he had figured out how to do it. He got in through a vulnerability in SiriusXM's Connected Services and related telematics system. All he needed to know was the vehicle's VIN number.

And as you know, VIN numbers are easy to get hold of. The API was not authenticating as it should, and Curry was able to get into vehicles from 12 different OEMs.

So now we go from one single vehicle to an entire fleet to multiple fleets — from one car to millions of cars to tens of millions of cars. And not only that, since he got in through the telematics, it's a deeper attack as well.

Later that year, a group called Anonymous attacked Yandex in Moscow. Yandex is similar to Uber in Moscow. Through an API, hackers got into the back-office system and sent every Yandex vehicle to one single spot in Moscow. They didn't touch cars. All they did was get hold of a system API and basically weaponize the cars. That created massive gridlock, and this had a direct impact on the safety of people.

The first documented case of a vehicle hack was in 2015. A staged hack of a Jeep Cherokee with the hackers inside the vehicle. Fast forward to 2022; we have hackers gaining control of multiple cars through a vulnerability in apps authorized by an OEM.

HDT: What sort of vectors are these guys using to provide that level of control in the vehicle itself?

Kantor: It starts from vectors of attack to attacking the vehicle directly. So, things like the remote start, or the TCU/ECU or the telematics — all of which require a lot of knowledge about vehicles. But now you have all these new vectors, the APIs and mobile applications.

They account for about 20% of the attacks today. That's up from about 2% the year before. That's one.

Another vector we're seeing now comes from EV [electric vehicle] attacks. It's about 4% now. Not a big number, but if you think about the growth of EVs and all the money spent on EVs, you know how to multiply it.

The second thing, when looking at EVs, is charging. All the communication for charging is all done through APIs. And there are new vectors as well, attacks that come from the charging station to the vehicle. If somebody could get hold of an entire charging network and send commands to overcharge cars, you'd be able to basically disable all those cars.

I don't know how many drivers are aware of the fact that when they're plugging their car into that charging station, it's not only electrons flowing through that pipe, so is all their personal information data, their billing data, their credit card data. All of this could be taken from the vehicle as well.

HDT: Have you identified anything you might call trends in all this?

Kantor: We've seen several trends. First, there are now many new attack vectors. It's the smart mobility and the APIs.

And we see that the magnitude of the attacks is now larger — fleet-wide attacks.

And there's one more that I didn't touch on that's really interesting. Customers are now attacking their own vehicles. OEMs today are looking to increase their revenue by selling the premium services, correct? If you look at the projection, trillions of dollars will come from these services by 2030.

There's a famous case recently where an OEM said they were going to charge 12 or 18 Euros a month for heated seats. This wasn't very popular with customers. So, the customer thinks, "I'm going to hack it, I'm going to jailbreak my vehicle."

HDT: This all sounds pretty discouraging. Is anything concrete being done to mitigate this threat?

Kantor: It's almost like back to the days where it was Intel inside; you want to know there's some form of cybersecurity protecting you on the inside, like Upstream, for example.

But regulation is also playing a major part. It's more advanced in in Europe, with WP.29 and UN Regulation R155 which requires cars be monitored. That regulation is still not in the U.S., but OEMs understand the liability and they are taking steps regardless of the regulation.

Regulation is coming, though. The National Highway Traffic Safety Administration is promoting and encouraging OEMs to be part of AutoISAC (Automotive Information Sharing and Analysis Center). This body shares information between automotive manufacturers and tier-one suppliers.

Some of NHTSA's recommendations are very similar to what's in the European regulation. We will see something like that here very soon, probably by 2025, 2026.