Heavy Duty Trucking Logo
MenuMENU
SearchSEARCH

Q&A: How Hackers Can Exploit Fleet Vehicles

Software-defined vehicles and insecure APIs and mobile services have opened new attack vectors for the bad guys to exploit, from cars to heavy-duty trucks. The threat is real, and it will have a huge impact for fleets. Find out why from cybersecurity expert Haim Kantor.

Jim Park
Jim ParkFormer HDT Equipment Editor
Read Jim's Posts
May 7, 2024
Haim Kanter, vice president, Upstream

Haim Kanter, vice president, North America, Upstream, says there has been a 20% increase in the number of vehicles being attacked through API's in the past few years.

Photo: Upstream

8 min to read

If you're still think of cybersecurity in terms of withdrawal-of-service or ransomware attacks, you're in for a shock. Software defined vehicles and insecure APIs and mobile services have opened new attack vectors for the bad guys to exploit. And they are doing so enthusiastically.

There has been a 20% increase in the number of vehicles being attacked through API's in the past few years. A single incident can now affect thousands of vehicles.

The threat is real, and it will have a huge impact for fleets, not only financially, but safety could be impacted as well.

HDT Equipment Editor Jim Park spoke with Upstream Security's vice president of North American operations, Haim Kantor, about these emerging threat vectors, and the hazards they pose if they are allowed to proliferate.

This Q&A features highlights from a recent episode of HDT Talks Trucking.

This interview has been edited for brevity and clarity.

HDT: Can you give us a sense of where we are today with automotive cybersecurity?

Kantor: We've reached an inflection point. The number of cybersecurity incidents grew over the past five to seven years by 400%. But we're moving away from just talking about number of incidents to looking at the impact of the incidents.

By that I mean how many vehicles could be impacted by a single security incident, and what are the operational and financial impacts? Depending on the nature of the hack, the attack vector, and it's intended consequences, a hack of a single vehicle could have fleet-wide implications. So now we go from one vehicle, to maybe dozens or hundreds, or even thousands.

The motives for these attacks vary, but usually it's financial. Since the Russia-Ukraine war, there's also a geopolitical component. But the new thing we're seeing is people hacking through cybersecurity in their own vehicles so can they avoid paying for premium services.

HDT: Is this a case where the vehicles, or some technology on board the vehicle, facilitates the attack, gives the hacker some pathway into the vehicle?

Kantor: Yes. One of the reasons we see more attacks on fleets is because there are more and more new vectors with which to attack a vehicle.

In the past, you really needed to understand deeply how vehicles work. If you wanted to attack the internal elements, an ECU or a TCU, you really needed a lot of knowledge about cars. But the trend today is attacking the vehicle through APIs (application programming interface).

About 20% of attacks now are based on APIs or mobile services — the ones that are running the fleet. You don't need to know anything about a vehicle. Instead, you find a vulnerability within an API. In the OWASP world (Open Web Application Security Project), almost all of the top 10 attacks are applicable to the vehicle world. The Orbcomm attack for example. That ransomware attack was done purely through an API attack.

HDT: So, in that case, the attackers went after Orbcomm, but the impact was felt by fleets using Orbcomm products. That raises an interesting question: How can fleets ensure their suppliers have taken appropriate upstream precautions?

Kantor: This will require a lot of education. The fleet owners and managers need to be asking questions to make sure that their fleets are safe. They need to say that one of the requirements is to make sure their suppliers have that security in place.

HDT: Here's a scenario; tell me if this is possible: Some truck brakes can now be applied through the electronics onboard the truck. Is it possible that if somebody got hold of the right code, they could start applying brakes on individual trucks or fleet-wide?

Kantor: Yes, they can. I'll give you an example. It's not a truck, but in agriculture. During the earlier stages of the Russia-Ukrainian war, John Deere was able to take over their vehicles and remotely use a kill switch to disable the equipment. The same thing could happen with an attack that presses that "kill switch" on a truck.

Protect Your Fleet From Cyberattacks

HDT: Could you give some other examples of these sorts of attacks that have actually happened?

Kantor: Let's start with an attack that we saw early in 2022. David Colombo [a self-described tech security specialist] was able to access 25 Tesla cars around the world. That's 25 cars in 25 different countries. He was able to connect to the cars through an application that was not provided by Tesla, but Tesla endorsed the application.

Through that app, he was able to blow the horn and roll the windows up and down. That sounds amusing, right? But think about a truck driver, driving at 70 mph on I-95, and his window starts opening and closing and is horn is blowing. That could really be dangerous.

In September 2022, hacker/researcher Sam Curry decided he wanted to try hacking a car. He knew nothing about cars, but by November he had figured out how to do it. He got in through a vulnerability in SiriusXM's Connected Services and related telematics system. All he needed to know was the vehicle's VIN number.

And as you know, VIN numbers are easy to get hold of. The API was not authenticating as it should, and Curry was able to get into vehicles from 12 different OEMs.

So now we go from one single vehicle to an entire fleet to multiple fleets — from one car to millions of cars to tens of millions of cars. And not only that, since he got in through the telematics, it's a deeper attack as well.

Later that year, a group called Anonymous attacked Yandex in Moscow. Yandex is similar to Uber in Moscow. Through an API, hackers got into the back-office system and sent every Yandex vehicle to one single spot in Moscow. They didn't touch cars. All they did was get hold of a system API and basically weaponize the cars. That created massive gridlock, and this had a direct impact on the safety of people.

The first documented case of a vehicle hack was in 2015. A staged hack of a Jeep Cherokee with the hackers inside the vehicle. Fast forward to 2022; we have hackers gaining control of multiple cars through a vulnerability in apps authorized by an OEM.

HDT: What sort of vectors are these guys using to provide that level of control in the vehicle itself?

Kantor: It starts from vectors of attack to attacking the vehicle directly. So, things like the remote start, or the TCU/ECU or the telematics — all of which require a lot of knowledge about vehicles. But now you have all these new vectors, the APIs and mobile applications.

They account for about 20% of the attacks today. That's up from about 2% the year before. That's one.

Another vector we're seeing now comes from EV [electric vehicle] attacks. It's about 4% now. Not a big number, but if you think about the growth of EVs and all the money spent on EVs, you know how to multiply it.

The second thing, when looking at EVs, is charging. All the communication for charging is all done through APIs. And there are new vectors as well, attacks that come from the charging station to the vehicle. If somebody could get hold of an entire charging network and send commands to overcharge cars, you'd be able to basically disable all those cars.

I don't know how many drivers are aware of the fact that when they're plugging their car into that charging station, it's not only electrons flowing through that pipe, so is all their personal information data, their billing data, their credit card data. All of this could be taken from the vehicle as well.

HDT: Have you identified anything you might call trends in all this?

Kantor: We've seen several trends. First, there are now many new attack vectors. It's the smart mobility and the APIs.

And we see that the magnitude of the attacks is now larger — fleet-wide attacks.

And there's one more that I didn't touch on that's really interesting. Customers are now attacking their own vehicles. OEMs today are looking to increase their revenue by selling the premium services, correct? If you look at the projection, trillions of dollars will come from these services by 2030.

There's a famous case recently where an OEM said they were going to charge 12 or 18 Euros a month for heated seats. This wasn't very popular with customers. So, the customer thinks, "I'm going to hack it, I'm going to jailbreak my vehicle."

HDT: This all sounds pretty discouraging. Is anything concrete being done to mitigate this threat?

Kantor: It's almost like back to the days where it was Intel inside; you want to know there's some form of cybersecurity protecting you on the inside, like Upstream, for example.

But regulation is also playing a major part. It's more advanced in in Europe, with WP.29 and UN Regulation R155 which requires cars be monitored. That regulation is still not in the U.S., but OEMs understand the liability and they are taking steps regardless of the regulation.

Regulation is coming, though. The National Highway Traffic Safety Administration is promoting and encouraging OEMs to be part of AutoISAC (Automotive Information Sharing and Analysis Center). This body shares information between automotive manufacturers and tier-one suppliers.

Some of NHTSA's recommendations are very similar to what's in the European regulation. We will see something like that here very soon, probably by 2025, 2026.

Related: Minimize the Threat from Cyberattacks

Topics:Vehicle HackinghackersCybersecurityCyberattacksData Securityvehicle securityFleet Management
Subscribe to Our Newsletter

More Fleet Management

TEN disaster prep.
Fleet ManagementMay 1, 2026

How Fleets Can Avoid Equipment Blind Spots in Disaster Response

When the unexpected happens, how you react to, and deal with operational blind spots is critical. Here’s how to keep you recovery on track, when nothing is normal.

Read More →
Illustration of cybersecurity images with "The Cyber Stop" text
Fleet Managementby Ben WilkensApril 30, 2026

AI Security Risks for Trucking Fleets: What to Know About Deepfakes and Agentic AI

As fleets adopt artificial intelligence for routing, maintenance, and load matching, new security risks are emerging. Learn where the vulnerabilities are and how to put the right controls in place.

Read More →
Mobile tablet showing Motus screen against highway background with Motus logo
Safety & Complianceby Deborah LockridgeApril 29, 2026

FMCSA’s Motus System Is Coming. What Fleets Need to Know Now

The long-awaited registration system promises a single portal — and tighter fraud controls.

Read More →
CargoNet 2026 Qi report.
Fleet Managementby News/Media ReleaseApril 24, 2026

Cargo Theft Incidents Fall in Q1, but Organized Crime and Impersonation Drive New Risks

CargoNet reports fewer supply chain crime events to start 2026. But losses hold steady as organized crime shifts tactics toward impersonation schemes and high-value goods.

Read More →
Graphic with light bulbs, HDT Truck Fleet Innovators logo, and the word Nominations
Fleet ManagementApril 24, 2026

Nominations Open for HDT Truck Fleet Innovators 2026

Heavy Duty Trucking is searching for forward-looking leaders at trucking fleets as nominations for HDT’s Truck Fleet Innovators 2026. Deadline is May 15.

Read More →
Illustration with trojan horse and lock with inside of cargo container in background
Fleet Managementby News/Media ReleaseApril 23, 2026

New Trojan Driver Cargo Theft Scam Bypasses Carrier Vetting Systems

Cargo theft rings plant operatives as drivers inside legitimate, fully vetted carriers, then execute coordinated thefts that look like a traditional straight theft from the outside.

Read More →
ATA Truck Tonnage Index March 2026.
Fleet Managementby News/Media ReleaseApril 22, 2026

March Truck Tonnage Posts Strongest Annual Gain Since 2022

A modest sequential increase capped the strongest quarterly performance in years, signaling continued freight momentum in early 2026.

Read More →
Toll road.
Fleet Managementby Jack RobertsApril 22, 2026

Ohio Turnpike Targets $5.2 Million in Unpaid Tolls from Trucking Firms

More than 300 carriers across 26 states have been sent to collections as the Ohio Turnpike cracks down on toll evasion and delinquent payments.

Read More →
Illustration with ATRI logo and square blocks spelling out "research"
Fleet Managementby Deborah LockridgeApril 20, 2026

'Beyond Compliance,' Regulations, Driver Coaching on ATRI’s 2026 Research List

The American Transportation Research Institute will examine driver coaching, regulatory impacts — including the "Beyond Compliance" concept —and weather disruptions that shape trucking operations.

Read More →
Brian Antonellis, senior vice president, fleet operations, Fleet Advantage.
Fleet Managementby Jack RobertsApril 17, 2026

Fleet Advantage's Brian Antonellis on the Growing Need to Replace Old Trucks

Fleet Advantage's Brian Antonellis says it's time for fleets to get back to the fundamentals of good maintenance practices. And that includes replacing older, inefficient equipment.

Read More →
View All