“Talk to our TSP” is not gonna cut it – Fleets Need to Take Responsibility for Their Own Security

One common misconception for fleets is that securing their connected vehicles is someone else’s responsibility. It’s true that with a connected vehicle attack, in many case it’s not the cars themselves that experience the breach. There are many links in the chain that are susceptible to malicious behavior, from cellular networks and automotive clouds, to hardware and software such as infotainment devices or mobile apps.

However, much like when a thief enters your home and all the contents stolen inside are under threat, regardless of whose bedroom window they crawled through to gain access- Once attackers have breached your network, your fleet is at risk, irrespective of how they got past your perimeter.

Learning from the Jeep Cherokee Hack

One of the most infamous connected car attacks is known as the Charlie Miller Jeep Cherokee attack, where hackers remotely killed a Jeep on a highway. The hackers exploited the Uconnect system in the car created by Harman, that was installed to control navigation and entertainment. The internet access the system was connected to was from mobile operator Sprint. Despite the attack coming via two other (broken) links in the connected vehicle chain, it is FCA, (Fiat Chrysler Automobiles) who had to recall more than 1.4 million vehicles. They released a statement to say that “no defect had been found,” and yet no one remembers the incident as the Harman attack nor the Sprint hack.

Forbes’ comment at the time was that connectivity is outpacing security in a way that needs urgent attention. There are “additional security exposures created when complex systems become increasingly linked. More connections mean more pathways and backdoors that could be exploited by a hacker. Designers need better tools to enable them to fully understand all of the ways that information will be able to move around a complex, dynamic, distributed system.”

Employing a Detection Mechanism

An event like the Charlie Miller attack doesn’t happen overnight; the hackers did their research. In fact, reports had shown that for six months before the car take-over, Charlie Miller’s team were testing and breaching different parts of the connected car ecosystem, all without FCA, Harman, or Sprint knowing a thing about it. The companies had no detection method employed, and no understanding or visibility into how the interconnected parts of their products were functioning, let alone how to recognize that something was wrong.

We live in a reality where industrial vehicles are capable of being hacked via the internet, and vulnerable after-market TSP devices are being widely used. As hacks get more complex, they continue to utilize common IoT gadgets like mobile dongles that are used by the majority of fleets today to connect and involve an increasing amount of links in the chain. In this case, it was an insurance company, in another, it might be businesses that make using mobile dongles for staff management compulsory. If security is going to catch up with connectivity – a single source of truth is past overdue.

No one needs this visibility more than the connected car fleets themselves. The weak links might be further up the connected car chain, in after-market TCUs or OBD dongles owned by TSPs, and responsibility might ultimately lie with another link in the chain altogether. Despite this, there is no way to keep your own vehicles safe without one dashboard that shows you every step in the connected car value chain. After all, the connected fleet is where the impact will hit the hardest; on the fleet’s own vehicles, drivers, and consumers.

The fall-out in the public eye and the effect on consumer trust cannot be understated, when customers are proven to lose faith and loyalty in businesses that  experience data hacks. You can imagine how this is amplified when personal safety is at risk as well as identity. Throw into the mix the fact that this is a widely under-regulated industry, making it difficult to tell where the fault will be placed legally and financially for security breaches and data hacks.

In other words, it’s time to think again about passing on the responsibility to someone else.

Keeping Visibility Front and Center

The power is in your hands as a connected fleet- you can have your TSP provide you with the data that your fleet is generating. It’s as simple as forwarding them an API, allowing your data to be sent to you in real-time. As a fleet, you can then use Upstream Security to see your own data, as well as an analysis of all the interconnected parts of the chain, with real-time alerts on any anomalies. Regardless of what the TSPs, cloud companies and cellular providers are doing – it’s time to take control of your own ecosystem.