The automotive industry has transformed itself in recent years and is on the verge of an even greater leap into the future. In the new world of connected cars, information is key, and cars generate terabytes of it. Every day. In this post, we will discuss how information is sent, to whom, and what are the risks entailed in moving to the new age of connected cars and what you should do to protect your connected fleet from them.
Telematics- the source of the data
Connected vehicles collect information about every possible detail in the vehicle’s life, from the steering wheel’s position to fuel consumption and exact pressure applied on the breaks. This data has the potential of transforming the way we use cars today, driver safety and improve drastically elements like fleet management and maintenance. The gathered information is constantly communicated back to telematics and application backend servers.
Connected cars transmit data to backend servers, belonging to different entities. The first are servers belonging to the OEM of the vehicle itself, which collect performance data and can remotely distribute OTA (Over the Air) software updates if needed. Other servers belong to after-market companies such as insurance companies, which use the data to determine the driver’s driving score to provide an adapted insurance policy, or other types of fleets such as mobility service providers, commercial fleets, car rental and leasing companies and more, aiming to generate meaningful insights from the collected information to manage the fleet better. These servers rely on different telematics units installed in the vehicle, usually through the OBD port, but provide the same data access and capabilities. Enterprises with large connected fleets might also install an independent telematics unit (TCU) for their own maintenance and policy enforcement.
Not only passive – the full potential
Contrary to common belief, telematics and applications servers don’t only collect data about the vehicle’s activity, but can also send them certain commands, which can have a frightening effect in the wrong hands. These commands include remotely igniting the engine or turning it off, locking and unlocking doors and many others. As one can assume, car thieves would be thrilled by the idea of effortlessly opening car doors and igniting their engines. This is not a lone example of the grave consequences telematic and application servers might have on the fleet’s security. When looking closely, there seem to be endless possibilities to exploit them for a wide range of purposes. And some have already begun to look.
As Elon Musk said himself, the most frightening cyber-attack today is a fleet-wide hack of connected vehicles. Musk astutely identified fleet-wide hacks as not only dangerous but as entirely possible. While he is doing his best to ensure Tesla cars are protected, his insight should concern any connected fleet operator.
“one of the biggest risks for autonomous vehicles is somebody achieving a fleet-wide hack” Elon Musk
From theory to practice – connected fleets are being hacked, today
As several security researchers have already demonstrated, connected cars can be hacked and controlled, threatening the life of their drivers and passengers. If a fleet-wide hack is achieved, this effect will be tenfold, to say the least. Unfortunately, fleet hacks did not remain in the research labs. In August 2016, two car thieves were able to reprogram over 30 Jeeps to accept a generic key, which allowed them to steal them without even breaking a window.
Recent hacks of car manufacturers, including Renault, Nissan, and Honda prove just how feasible it is to use them as the entry point to your vehicle. While in this case, the perpetrators only infected the companies with the WannaCry ransomware, which in itself was bad enough and forced Honda to shut down its operation, the full potential of such a hack is much worse. One just needs to imagine what would happen if all cars manufactured by a certain OEM were simultaneously pawned, with catastrophic consequences.
What’s missing in my current protection?
As Elon Musk mentioned, connected cars are basically “laptops on wheels”, which means they should be treated as such for security purposes as well. Just like any corporate network has both an Anti-Virus solution, responsible for protecting the single computer from infections, and a firewall guarding the whole network on the gateway, so should cars. Today, most of the focus in the automotive industry is on in-vehicle security solutions, which are crucial, but cannot stand on their own, and must be accompanied by a comprehensive fleet level protection for the telematics and application backend servers.
While data centers already have many security protections, none are equipped to deal with the unique challenge posed by the automotive world. Similar to critical infrastructure systems, telematics protocols are proprietary protocols and do not share a common standard. Since some fleets, and especially the large ones use more than one telematics service, the same network can incorporate multiple telematics protocols, making the challenge for protectors even bigger. Common security solutions are not capable of analyzing these distinct protocols and determine whether a malicious activity is taking place. To rephrase Musk’s description: “connected cars are critical infrastructure on wheels”.