Heavy Duty Trucking Logo
MenuMENU
SearchSEARCH

Q&A: How Hackers Can Exploit Fleet Vehicles

Software-defined vehicles and insecure APIs and mobile services have opened new attack vectors for the bad guys to exploit, from cars to heavy-duty trucks. The threat is real, and it will have a huge impact for fleets. Find out why from cybersecurity expert Haim Kantor.

Jim Park
Jim ParkFormer HDT Equipment Editor
Read Jim's Posts
May 7, 2024
Haim Kanter, vice president, Upstream

Haim Kanter, vice president, North America, Upstream, says there has been a 20% increase in the number of vehicles being attacked through API's in the past few years.

Photo: Upstream

8 min to read

If you're still think of cybersecurity in terms of withdrawal-of-service or ransomware attacks, you're in for a shock. Software defined vehicles and insecure APIs and mobile services have opened new attack vectors for the bad guys to exploit. And they are doing so enthusiastically.

There has been a 20% increase in the number of vehicles being attacked through API's in the past few years. A single incident can now affect thousands of vehicles.

The threat is real, and it will have a huge impact for fleets, not only financially, but safety could be impacted as well.

HDT Equipment Editor Jim Park spoke with Upstream Security's vice president of North American operations, Haim Kantor, about these emerging threat vectors, and the hazards they pose if they are allowed to proliferate.

This Q&A features highlights from a recent episode of HDT Talks Trucking.

This interview has been edited for brevity and clarity.

HDT: Can you give us a sense of where we are today with automotive cybersecurity?

Kantor: We've reached an inflection point. The number of cybersecurity incidents grew over the past five to seven years by 400%. But we're moving away from just talking about number of incidents to looking at the impact of the incidents.

By that I mean how many vehicles could be impacted by a single security incident, and what are the operational and financial impacts? Depending on the nature of the hack, the attack vector, and it's intended consequences, a hack of a single vehicle could have fleet-wide implications. So now we go from one vehicle, to maybe dozens or hundreds, or even thousands.

The motives for these attacks vary, but usually it's financial. Since the Russia-Ukraine war, there's also a geopolitical component. But the new thing we're seeing is people hacking through cybersecurity in their own vehicles so can they avoid paying for premium services.

HDT: Is this a case where the vehicles, or some technology on board the vehicle, facilitates the attack, gives the hacker some pathway into the vehicle?

Kantor: Yes. One of the reasons we see more attacks on fleets is because there are more and more new vectors with which to attack a vehicle.

In the past, you really needed to understand deeply how vehicles work. If you wanted to attack the internal elements, an ECU or a TCU, you really needed a lot of knowledge about cars. But the trend today is attacking the vehicle through APIs (application programming interface).

About 20% of attacks now are based on APIs or mobile services — the ones that are running the fleet. You don't need to know anything about a vehicle. Instead, you find a vulnerability within an API. In the OWASP world (Open Web Application Security Project), almost all of the top 10 attacks are applicable to the vehicle world. The Orbcomm attack for example. That ransomware attack was done purely through an API attack.

HDT: So, in that case, the attackers went after Orbcomm, but the impact was felt by fleets using Orbcomm products. That raises an interesting question: How can fleets ensure their suppliers have taken appropriate upstream precautions?

Kantor: This will require a lot of education. The fleet owners and managers need to be asking questions to make sure that their fleets are safe. They need to say that one of the requirements is to make sure their suppliers have that security in place.

HDT: Here's a scenario; tell me if this is possible: Some truck brakes can now be applied through the electronics onboard the truck. Is it possible that if somebody got hold of the right code, they could start applying brakes on individual trucks or fleet-wide?

Kantor: Yes, they can. I'll give you an example. It's not a truck, but in agriculture. During the earlier stages of the Russia-Ukrainian war, John Deere was able to take over their vehicles and remotely use a kill switch to disable the equipment. The same thing could happen with an attack that presses that "kill switch" on a truck.

Protect Your Fleet From Cyberattacks

HDT: Could you give some other examples of these sorts of attacks that have actually happened?

Kantor: Let's start with an attack that we saw early in 2022. David Colombo [a self-described tech security specialist] was able to access 25 Tesla cars around the world. That's 25 cars in 25 different countries. He was able to connect to the cars through an application that was not provided by Tesla, but Tesla endorsed the application.

Through that app, he was able to blow the horn and roll the windows up and down. That sounds amusing, right? But think about a truck driver, driving at 70 mph on I-95, and his window starts opening and closing and is horn is blowing. That could really be dangerous.

In September 2022, hacker/researcher Sam Curry decided he wanted to try hacking a car. He knew nothing about cars, but by November he had figured out how to do it. He got in through a vulnerability in SiriusXM's Connected Services and related telematics system. All he needed to know was the vehicle's VIN number.

And as you know, VIN numbers are easy to get hold of. The API was not authenticating as it should, and Curry was able to get into vehicles from 12 different OEMs.

So now we go from one single vehicle to an entire fleet to multiple fleets — from one car to millions of cars to tens of millions of cars. And not only that, since he got in through the telematics, it's a deeper attack as well.

Later that year, a group called Anonymous attacked Yandex in Moscow. Yandex is similar to Uber in Moscow. Through an API, hackers got into the back-office system and sent every Yandex vehicle to one single spot in Moscow. They didn't touch cars. All they did was get hold of a system API and basically weaponize the cars. That created massive gridlock, and this had a direct impact on the safety of people.

The first documented case of a vehicle hack was in 2015. A staged hack of a Jeep Cherokee with the hackers inside the vehicle. Fast forward to 2022; we have hackers gaining control of multiple cars through a vulnerability in apps authorized by an OEM.

HDT: What sort of vectors are these guys using to provide that level of control in the vehicle itself?

Kantor: It starts from vectors of attack to attacking the vehicle directly. So, things like the remote start, or the TCU/ECU or the telematics — all of which require a lot of knowledge about vehicles. But now you have all these new vectors, the APIs and mobile applications.

They account for about 20% of the attacks today. That's up from about 2% the year before. That's one.

Another vector we're seeing now comes from EV [electric vehicle] attacks. It's about 4% now. Not a big number, but if you think about the growth of EVs and all the money spent on EVs, you know how to multiply it.

The second thing, when looking at EVs, is charging. All the communication for charging is all done through APIs. And there are new vectors as well, attacks that come from the charging station to the vehicle. If somebody could get hold of an entire charging network and send commands to overcharge cars, you'd be able to basically disable all those cars.

I don't know how many drivers are aware of the fact that when they're plugging their car into that charging station, it's not only electrons flowing through that pipe, so is all their personal information data, their billing data, their credit card data. All of this could be taken from the vehicle as well.

HDT: Have you identified anything you might call trends in all this?

Kantor: We've seen several trends. First, there are now many new attack vectors. It's the smart mobility and the APIs.

And we see that the magnitude of the attacks is now larger — fleet-wide attacks.

And there's one more that I didn't touch on that's really interesting. Customers are now attacking their own vehicles. OEMs today are looking to increase their revenue by selling the premium services, correct? If you look at the projection, trillions of dollars will come from these services by 2030.

There's a famous case recently where an OEM said they were going to charge 12 or 18 Euros a month for heated seats. This wasn't very popular with customers. So, the customer thinks, "I'm going to hack it, I'm going to jailbreak my vehicle."

HDT: This all sounds pretty discouraging. Is anything concrete being done to mitigate this threat?

Kantor: It's almost like back to the days where it was Intel inside; you want to know there's some form of cybersecurity protecting you on the inside, like Upstream, for example.

But regulation is also playing a major part. It's more advanced in in Europe, with WP.29 and UN Regulation R155 which requires cars be monitored. That regulation is still not in the U.S., but OEMs understand the liability and they are taking steps regardless of the regulation.

Regulation is coming, though. The National Highway Traffic Safety Administration is promoting and encouraging OEMs to be part of AutoISAC (Automotive Information Sharing and Analysis Center). This body shares information between automotive manufacturers and tier-one suppliers.

Some of NHTSA's recommendations are very similar to what's in the European regulation. We will see something like that here very soon, probably by 2025, 2026.

Related: Minimize the Threat from Cyberattacks

Topics:Vehicle HackinghackersCybersecurityCyberattacksData Securityvehicle securityFleet Management
Subscribe to Our Newsletter

More Fleet Management

ATA President Chris Spear.
Fleet Managementby Jack RobertsMarch 17, 2026

ATA’s Spear Warns Fuel Prices, Trade Policy, and Global Conflict Could Stall Trucking Recovery

Speaking at the TMC Annual Meeting in Nashville, ATA President Chris Spear said trucking faces mounting pressure from rising fuel prices, geopolitical instability, and uncertainty around trade policy.

Read More →
Illustration of author headshot with black-and-white old-fashioned rig in the background
Safety & Complianceby Deborah LockridgeMarch 17, 2026

New Entrants, Chameleon Carriers, and Safety: Is It Too Easy to Start a Trucking Company?

More than 100,000 new trucking companies enter the industry each year, but regulators manage to audit only a fraction of them. That churn creates opportunities for inexperienced startups — and for “chameleon carriers” that shut down after safety violations and reappear under new identities. Read more from Deborah Lockridge in this commentary.

Read More →
Panel discussion
Fleet Managementby Deborah LockridgeMarch 12, 2026

Fleet Managers Invited to Apply for Exclusive HDT Exchange Event

HDTX is an intimate event that connects heavy-duty trucking fleet managers with industry suppliers through small-group discussions, educational sessions, and structured one-on-one meetings.

Read More →
DAT iPhone Widget.
Fleet Managementby News/Media ReleaseMarch 12, 2026

DAT Launches iPhone Widget to Help Owner-Operators Find Loads Faster

New DAT One feature shows top-paying loads directly on an iPhone’s home screen, helping carriers react faster to spot-market opportunities.

Read More →
Optimal Dynamics Scale screen shot
Fleet Managementby News/Media ReleaseMarch 12, 2026

Optimal Dynamics Launches AI System to Help Carriers Choose Better Freight

Optimal Dynamics says its new Scale platform uses AI agents and optimization to help carriers find and secure freight that improves network balance and profitability.

Read More →
DAT March 2026 trucking conditions.
Fleet Managementby Jack RobertsMarch 12, 2026

DAT: Flatbed Demand Climbs as Van and Reefer Rates Soften

DAT Freight & Analytics data shows tightening flatbed capacity, easing produce markets, and softening van and reefer rates.

Read More →
YouTube thumbnail with Mike Roeth of NACFE saying "NACFE's Messy Middle: Which Fuel Wins?"
Fuel Smartsby Deborah LockridgeMarch 11, 2026

Run on Less “Messy Middle” Data Shows Multiple Paths Forward for Truck Powertrains [Watch]

NACFE's Run on Less - Messy Middle project demonstrates the power of data in helping to guide the future of alternative fuels and powertrains for heavy-duty trucks.

Read More →
Illustration of crowded New York street overlaid with dollar signs
Fleet Managementby Deborah LockridgeMarch 11, 2026

Federal Court Lets NYC Congestion Pricing Continue

A federal court ruling allows New York City’s congestion pricing program to continue, leaving truck tolls in place for fleets delivering into Manhattan.

Read More →
Fontaine Modification Access365
Fleet Managementby News/Media ReleaseMarch 10, 2026

Fontaine Modification Launches Real-Time Truck Modification Tracking Portal

Fontaine Modification has introduced a new customer portal designed to give fleets real-time visibility into the truck modification process, addressing one of the most common questions fleet managers face: “Where’s my truck?”

Read More →
FTR Tucking Conditions March 2026.
Fleet Managementby Jack RobertsMarch 10, 2026

FTR: Trucking Conditions Index Climbs to Highest Level Since 2022

Strong freight rates, rising volumes and tighter capacity push trucking conditions higher, though diesel prices could temper gains in the near term, FTR cautions.

Read More →
View All