Heavy Duty Trucking Logo
MenuMENU
SearchSEARCH

Q&A: How Hackers Can Exploit Fleet Vehicles

Software-defined vehicles and insecure APIs and mobile services have opened new attack vectors for the bad guys to exploit, from cars to heavy-duty trucks. The threat is real, and it will have a huge impact for fleets. Find out why from cybersecurity expert Haim Kantor.

Jim Park
Jim ParkFormer HDT Equipment Editor
Read Jim's Posts
May 7, 2024
Haim Kanter, vice president, Upstream

Haim Kanter, vice president, North America, Upstream, says there has been a 20% increase in the number of vehicles being attacked through API's in the past few years.

Photo: Upstream

8 min to read

If you're still think of cybersecurity in terms of withdrawal-of-service or ransomware attacks, you're in for a shock. Software defined vehicles and insecure APIs and mobile services have opened new attack vectors for the bad guys to exploit. And they are doing so enthusiastically.

There has been a 20% increase in the number of vehicles being attacked through API's in the past few years. A single incident can now affect thousands of vehicles.

The threat is real, and it will have a huge impact for fleets, not only financially, but safety could be impacted as well.

HDT Equipment Editor Jim Park spoke with Upstream Security's vice president of North American operations, Haim Kantor, about these emerging threat vectors, and the hazards they pose if they are allowed to proliferate.

This Q&A features highlights from a recent episode of HDT Talks Trucking.

This interview has been edited for brevity and clarity.

HDT: Can you give us a sense of where we are today with automotive cybersecurity?

Kantor: We've reached an inflection point. The number of cybersecurity incidents grew over the past five to seven years by 400%. But we're moving away from just talking about number of incidents to looking at the impact of the incidents.

By that I mean how many vehicles could be impacted by a single security incident, and what are the operational and financial impacts? Depending on the nature of the hack, the attack vector, and it's intended consequences, a hack of a single vehicle could have fleet-wide implications. So now we go from one vehicle, to maybe dozens or hundreds, or even thousands.

The motives for these attacks vary, but usually it's financial. Since the Russia-Ukraine war, there's also a geopolitical component. But the new thing we're seeing is people hacking through cybersecurity in their own vehicles so can they avoid paying for premium services.

HDT: Is this a case where the vehicles, or some technology on board the vehicle, facilitates the attack, gives the hacker some pathway into the vehicle?

Kantor: Yes. One of the reasons we see more attacks on fleets is because there are more and more new vectors with which to attack a vehicle.

In the past, you really needed to understand deeply how vehicles work. If you wanted to attack the internal elements, an ECU or a TCU, you really needed a lot of knowledge about cars. But the trend today is attacking the vehicle through APIs (application programming interface).

About 20% of attacks now are based on APIs or mobile services — the ones that are running the fleet. You don't need to know anything about a vehicle. Instead, you find a vulnerability within an API. In the OWASP world (Open Web Application Security Project), almost all of the top 10 attacks are applicable to the vehicle world. The Orbcomm attack for example. That ransomware attack was done purely through an API attack.

HDT: So, in that case, the attackers went after Orbcomm, but the impact was felt by fleets using Orbcomm products. That raises an interesting question: How can fleets ensure their suppliers have taken appropriate upstream precautions?

Kantor: This will require a lot of education. The fleet owners and managers need to be asking questions to make sure that their fleets are safe. They need to say that one of the requirements is to make sure their suppliers have that security in place.

HDT: Here's a scenario; tell me if this is possible: Some truck brakes can now be applied through the electronics onboard the truck. Is it possible that if somebody got hold of the right code, they could start applying brakes on individual trucks or fleet-wide?

Kantor: Yes, they can. I'll give you an example. It's not a truck, but in agriculture. During the earlier stages of the Russia-Ukrainian war, John Deere was able to take over their vehicles and remotely use a kill switch to disable the equipment. The same thing could happen with an attack that presses that "kill switch" on a truck.

Protect Your Fleet From Cyberattacks

HDT: Could you give some other examples of these sorts of attacks that have actually happened?

Kantor: Let's start with an attack that we saw early in 2022. David Colombo [a self-described tech security specialist] was able to access 25 Tesla cars around the world. That's 25 cars in 25 different countries. He was able to connect to the cars through an application that was not provided by Tesla, but Tesla endorsed the application.

Through that app, he was able to blow the horn and roll the windows up and down. That sounds amusing, right? But think about a truck driver, driving at 70 mph on I-95, and his window starts opening and closing and is horn is blowing. That could really be dangerous.

In September 2022, hacker/researcher Sam Curry decided he wanted to try hacking a car. He knew nothing about cars, but by November he had figured out how to do it. He got in through a vulnerability in SiriusXM's Connected Services and related telematics system. All he needed to know was the vehicle's VIN number.

And as you know, VIN numbers are easy to get hold of. The API was not authenticating as it should, and Curry was able to get into vehicles from 12 different OEMs.

So now we go from one single vehicle to an entire fleet to multiple fleets — from one car to millions of cars to tens of millions of cars. And not only that, since he got in through the telematics, it's a deeper attack as well.

Later that year, a group called Anonymous attacked Yandex in Moscow. Yandex is similar to Uber in Moscow. Through an API, hackers got into the back-office system and sent every Yandex vehicle to one single spot in Moscow. They didn't touch cars. All they did was get hold of a system API and basically weaponize the cars. That created massive gridlock, and this had a direct impact on the safety of people.

The first documented case of a vehicle hack was in 2015. A staged hack of a Jeep Cherokee with the hackers inside the vehicle. Fast forward to 2022; we have hackers gaining control of multiple cars through a vulnerability in apps authorized by an OEM.

HDT: What sort of vectors are these guys using to provide that level of control in the vehicle itself?

Kantor: It starts from vectors of attack to attacking the vehicle directly. So, things like the remote start, or the TCU/ECU or the telematics — all of which require a lot of knowledge about vehicles. But now you have all these new vectors, the APIs and mobile applications.

They account for about 20% of the attacks today. That's up from about 2% the year before. That's one.

Another vector we're seeing now comes from EV [electric vehicle] attacks. It's about 4% now. Not a big number, but if you think about the growth of EVs and all the money spent on EVs, you know how to multiply it.

The second thing, when looking at EVs, is charging. All the communication for charging is all done through APIs. And there are new vectors as well, attacks that come from the charging station to the vehicle. If somebody could get hold of an entire charging network and send commands to overcharge cars, you'd be able to basically disable all those cars.

I don't know how many drivers are aware of the fact that when they're plugging their car into that charging station, it's not only electrons flowing through that pipe, so is all their personal information data, their billing data, their credit card data. All of this could be taken from the vehicle as well.

HDT: Have you identified anything you might call trends in all this?

Kantor: We've seen several trends. First, there are now many new attack vectors. It's the smart mobility and the APIs.

And we see that the magnitude of the attacks is now larger — fleet-wide attacks.

And there's one more that I didn't touch on that's really interesting. Customers are now attacking their own vehicles. OEMs today are looking to increase their revenue by selling the premium services, correct? If you look at the projection, trillions of dollars will come from these services by 2030.

There's a famous case recently where an OEM said they were going to charge 12 or 18 Euros a month for heated seats. This wasn't very popular with customers. So, the customer thinks, "I'm going to hack it, I'm going to jailbreak my vehicle."

HDT: This all sounds pretty discouraging. Is anything concrete being done to mitigate this threat?

Kantor: It's almost like back to the days where it was Intel inside; you want to know there's some form of cybersecurity protecting you on the inside, like Upstream, for example.

But regulation is also playing a major part. It's more advanced in in Europe, with WP.29 and UN Regulation R155 which requires cars be monitored. That regulation is still not in the U.S., but OEMs understand the liability and they are taking steps regardless of the regulation.

Regulation is coming, though. The National Highway Traffic Safety Administration is promoting and encouraging OEMs to be part of AutoISAC (Automotive Information Sharing and Analysis Center). This body shares information between automotive manufacturers and tier-one suppliers.

Some of NHTSA's recommendations are very similar to what's in the European regulation. We will see something like that here very soon, probably by 2025, 2026.

Related: Minimize the Threat from Cyberattacks

Topics:Vehicle HackinghackersCybersecurityCyberattacksData Securityvehicle securityFleet Management
Subscribe to Our Newsletter

More Fleet Management

Fleetworthy fleet management.
Fleet Managementby News/Media ReleaseFebruary 23, 2026

Fleetworthy Unifies Brands Under Single Banner to Streamline Fleet Readiness

Company consolidates Bestpass, Drivewyze and CPSuite into one platform aimed at reducing vendor complexity and controlling fleet costs

Read More →
Podcast thumbnail saying "Cargo Theft: Is Your Load Next?"
Fleet ManagementFebruary 23, 2026

Double Brokering, Phishing, and the Rise of Strategic Cargo Theft

Cargo theft has evolved from parking-lot break-ins to cyber-enabled strategic fraud. Here’s what fleets need to know.

Read More →
YouTube thumbnail with Scott Cornell, HDT Talks Trucking Logo, and the words, "Is Your Load Next?"
Safety & Complianceby Deborah LockridgeFebruary 20, 2026

The New Cargo Theft Playbook — And How Fleets Can Fight Back

Cargo theft has shifted from parking-lot break-ins to organized international schemes using double brokering, phishing, and even spoofing tracking signals. In this HDT Talks Trucking video podcast episode, cargo-theft investigator Scott Cornell explains what’s changed and what fleets need to do now.

Read More →
Daimler Truck North America Vice President David Carson
Fleet Managementby Jack RobertsFebruary 19, 2026

Capacity Overhang Begins to Clear, But Fleets Aren’t Ready to Spend 

Daimler Truck’s David Carson sees early signs of tightening capacity — yet buyers remain wary, extending trade cycles and resisting a pre-2027 emissions surge. 

Read More →
Map showing which states have bad freight bottlenecks
Fleet Managementby News/Media ReleaseFebruary 17, 2026

Chicago Interchange Overtakes Longstanding New Jersey Intersection as Worst Freight Bottleneck

The American Transportation Research Institute's annual analysis of truck speeds through congested interchanges yielded a new worst bottleneck this year.

Read More →
HDT Top 20 Products Award Logo
Fleet Managementby Deborah LockridgeFebruary 13, 2026

HDT Top 20 Products 2026: The New Tools, Technologies, and Ideas Shaping Trucking

From pricing intelligence and compliance tools to charging infrastructure, diagnostics, tires, and AI, HDT’s 2026 Top 20 Products recognize the new tools, technologies, and ideas heavy-duty trucking fleets are using to run their businesses.

Read More →
Geotab's Neil Cawse on stage during keynote at Geotab Connect 2026
Fleet Managementby Deborah LockridgeFebruary 12, 2026

Adapt or Die: Geotab’s Neil Cawse on AI’s Rapid Reinvention of Fleet Management

Artificial intelligence is evolving faster than fleets can keep up, and telematics must evolve with it, Cawse said during Geotab Connect. The future? A single AI coordinating every system — and leaders who know how to guide it.

Read More →
Illustration with question mark and graph illustrating uncertainty
Fleet Managementby StaffFebruary 12, 2026

After Three Years of Pressure, Motor Carriers and Brokers See Early Signs of a Turn

Survey data show carriers and brokers expect improving demand in 2026, even as rates lag and capital investment remains on hold.

Read More →
Photo of GO Focus Pro dashcam
Fleet Managementby News/Media ReleaseFebruary 11, 2026

Geotab Launches AI-Powered GO Focus Pro Dash Cam With 360-Degree Visibility

Geotab launches GO Focus Pro, an AI-powered 360-degree dash cam designed to reduce collisions, prevent fraud, and protect fleets from nuclear verdict risk.

Read More →
Knowledge Hub fleet intelligence system.
Fleet Managementby News/Media ReleaseFebruary 10, 2026

Augment Launches Freight-Native Knowledge Hub to Preserve Operational Know-How

Knowledge Hub is designed to turn scattered tribal knowledge into execution-ready intelligence and help logistics teams make faster, more consistent decisions.

Read More →
View All