Ever since the now-infamous moment, back in 2015, when hackers managed to get into the control systems of a Jeep while it was driving on the highway, network engineers and autonomous vehicle manufacturers alike have had to worry about the security of connected vehicles.
For those of us responsible for the security of large corporate fleets of connected vehicles, the stakes are even higher. Many of the key technologies used in mitigating vehicle attacks scale poorly, and this can make large-scale deployment of them difficult. Face and vehicle recognition software, for instance, is useful for small fleets, but the computational requirements of these systems make their application to larger firms very costly.
In this article, we’ll take a look at what kind of threats corporate fleets of connected vehicles face, the challenges these present, and how you can secure your own fleet.
The Rise of Vehicle Hacking
Up until quite recently, hacks of connected vehicles were regarded as a theoretical danger. Since most vehicles relied on custom, OEM-produced hardware, and software to provide connectivity, it was felt that the obscurity of these systems protected them from the most common data security risks.
If this was ever the case, it isn't any longer. Connected cars are becoming something of a victim of their own success – with many manufacturers wanting to offer connectivity in their vehicles, many have contracted out hardware and software solutions, rather than develop this in-house. These off-the-shelf systems have become a major target for attack.
You don’t have to look far for examples of this. In 2016, a pair of hackers in Houston, Texas, stole more than 30 Jeeps over a six-month period by exploiting a vulnerability in the way that their locking mechanism authenticated users. Manufacturers themselves are also falling victim to attacks, as in the incident earlier this year in which Renault-Nissan fell victim to a WannaCry ransomware attack, causing five of their plants to completely shut down operations for the duration of the attack.
By far the most common attack vector, however, is to exploit the connection between smartphone apps and connected cars. These apps might do nothing more than offer users a way to communicate with the car's systems or control ICE, but many consumer communication apps still lack proper security measures, and can potentially allow hackers to gain control of critical car control systems.
The Challenges
For those of us trying to protect the entire fleets of connected vehicles, there are two further problems to deal with: the scale and diversity of these attacks.
The first issue – that of scale – is illustrated well in Upstream Auto’s 2020 CES presentation. In this talk, the auto security firm gives some crucial – but worrying – stats: 55% of trucks in North America and 43% of trucks in Europe will be connected by 2025, the three top-selling manufacturers in the U.S. will sell only connected vehicles by 2020, and 775 million vehicles will be connected by 2023, rising from 330 million in 2018. Combined, this means that most corporate fleets will be mostly constituted by connected cars within the next few years.
The second issue is one of diversity. The reality today, as Upstream Auto has also pointed out, is that not only has there been a rapid growth of cybersecurity attacks (increasing 605% from 2016 to 2019), there is no one predictable attack objective: attacks can focus on car thefts and break-ins (31%), control over car systems (27%), or data and privacy breaches (23%).
This last type of attack – in which hackers seek to use connected cars to steal sensitive personal information – is rising most quickly, not least because many cybersecurity engineers have overlooked the fact that though in-car data collection and storage systems -- including video storage -- have been around for years, these systems have never been well-protected.
In fact, in many ways, the security of connected cars has been reduced in recent years. This is due to the fact that many car manufacturers are now moving toward continuous delivery models for their software. Though there are differences between continuous integration (CI) and continuous delivery (CD), both allow manufacturers to deliver software products faster to consumers by ensuring their operations are painless to manage, with no downtime during deployments that are detectable to the end-user. However, without a rigorous DevSecOps process in place, CI and CD can lead to vulnerabilities being introduced into connected car systems.
Protecting Your Fleet
If you are charged with protecting a fleet of vehicles against these kinds of attacks, you may feel pretty powerless. You are unlikely to have control over the hardware that manufacturers chose to build into their vehicles, after all, or the frequency with which they push out security patches.
There are some steps you can take, though. First, assess which parts of your infrastructure you do have control over, and which integrate with your connected vehicles. Various studies and statistics on cyber attacks indicate that in the majority of cases, the major cost of hacks is not the data you lose, but the reputational damage that a well-publicized attack can cause.
For this reason, make sure that you are practicing responsible data retention with all the systems that you have connected to your connected vehicle fleet, from your cloud-native application management suite to the system that stores the authentication details of your employees.
The Bottom Line
Ultimately, it is only through taking this kind of holistic approach that you will be able to protect your fleet. Connected cars are designed, after all, to integrate seamlessly into the rest of your digital infrastructure, but too often it is precisely this integration that can make them a source of vulnerability.
In other words, connected car security today involves far more than just advanced anti-theft devices. It requires you to look at the entire ecosystem in which your connected vehicles function, and ensure that every time data are shared, they are protected.
About the Author:
Sam Bocetta is a freelance journalist specializing in U.S. diplomacy and national security, with emphases on technology trends in cyberwarfare, cyberdefense, and cryptography Currently working as part-time cybersecurity coordinator at AssignYourWriter
