Elon Musk recently voiced the darkest fears of automotive original equipment manufacturers (OEMs) and fleet managers, when he said that “one of the biggest concerns for autonomous vehicles is somebody achieving a fleet-wide hack.”
This raises the question: can the nightmare scenario like in this video taken from The Fate of the Furious happen in real life?
Unfortunately, the answer is yes.
The vulnerabilities of vehicle fleets lie in its architecture, which includes:
- Command and Control telematics servers: The control they have over the cars’ operations, such as starting/stopping the engine, locking/unlocking the doors and more, can be exploited.
- OTA Servers: These servers can be attacked to spread rogue firmware updates over the entire vehicle fleet.
- Vehicles: The vehicles can be exploited to gain full access to other vehicles, as well as to the servers.
No longer a theoretical fear
Each part of this architecture can be used as an attack vector for a fleet-wide hack. And there is already evidence of these threats materializing into attacks on each level.
Large-scale theft: In 2016, a pair of hackers in Houston, Texas, stole more than 30 Jeeps over a six-month period. It is a matter of time until hackers can cause even more damage and attempt to unlock a fleet of cars in one shot. As Kaspersky researchers showed, the black market is already showing an interest in connected car app credentials, including usernames and passwords, as well as PIN numbers and Vehicle Identification Numbers (VINs) for different makes and models of car. The going rate is hundreds of dollars per account.
Servers can be targeted and hacked into too, as was the case this past May when Renault-Nissan fell victim to the WannaCry ransomware attack, causing five of their plants to completely shut down operations for the duration of the attack.
Earlier this year, researchers from Kaspersky Labs were able to conduct a man-in-the-middle attack and hack into different connected-car Android apps to exploit security vulnerabilities that enabled them to locate a car, unlock it, and in some cases, even start its ignition. And although iOS is generally considered harder to hack, security researcher Samy Kamkar already showed how he could use a small piece of hardware hidden in a car to wirelessly intercept credentials from iOS apps like GM’s OnStar, Chrysler’s UConnect, Mercedes-Benz mbrace, and BMW’s Remote.
The stakes are too high to ignore
An attack on any of these levels in the fleet architecture can have devastating effects:
- Brand reputation: If the emissions scandal caused Volkswagen’s brand serious damage, just imagine the damage that can be caused if an entire car fleet gets hacked.
- Massive liabilities: From risking or taking lives of drivers and passengers to physical damage to people, cars, cargo, highways and cities, as well as the crippling disruption of operations and monetary losses.
The need for a fleet-level security solution
An effective security solution for car fleets needs to go beyond focusing only on the car to analyze the complete picture of the fleet. It needs to be able to capture and understand the data from all the levels of the fleet architecture – car, driver, app and server – as well as get the context of the events to detect anomalies in the fleet-level behavior.
Upstream is the first cloud-based solution for securing connected and autonomous fleets – both OEMs and after-market fleets. Upstream’s solution encompasses cyber security protection, fraud detection and vehicle and driver insights analytics. The 100% non-intrusive solution enables seamless integration.
Learn more about Upstream’s solution: