Protecting Cars, Trucks and Commercial Vehicles br>from Hacking – an Overview
Whereas there is no silver bullet that can protect against all possible cyber attacks, the industry should adopt a wide variety of processes and products in order to make the world a safer place.
If a physical device is connected to the internet, it can be targeted with a cyber attack. Thus, with tens of millions of connected cars on the road today – and hundreds of millions of them expected to be by 2020 – threats to the safety and privacy of motorists, passengers, bystanders and private as well as corporate property already exist and are set to grow substantially.
While connectivity can be (and already is being) used to make us safer, more productive and entertained while in transit, it creates an attack surface through which to access the vehicle’s delicate controller area network (CAN) bus. Once inside, hackers may be able to send commands to the vehicle from a remote location in order to, inter alia, steal private and corporate data, track individual vehicles or entire fleets and hijack non-safety and safety-critical functions – imagine losing the ability to steer or brake while speeding down a highway!
Looking forward, by 2020, virtually all manufactured vehicles will come with embedded, tethered or smartphone mirroring connectivity. Already in the first quarter of 2016, cars accounted for one-third of all new cellular devices. No longer a pipe dream of futurists, car connectivity has pervaded the automotive industry and recent whitehat hacks of both private cars and commercial vehicles prove the ever-present danger.
Luckily, customer safety and satisfaction are the foremost concerns for automakers. As such, like a baby fresh out of the womb, connected cars will get constant oversight and protection too. Original Equipment Manufacturers (OEMs), Tier 1s, regulatory bodies, insurance companies, technology companies, telecommunications providers and organizations affected by the new attack landscape are all working to strengthen the industry’s cybersecurity posture.
Due to the dynamic and developing threat environment, the stakeholders are taking a multitude of approaches. For example, the aforementioned entities are collaborating in groups such as the newly formed Auto-ISAC, which recently published a best practices guideline for cyber security on wheels and amongst themselves to integrate cyber security into the entire vehicle lifecycle – from concept through production, servicing and decommission.
National governments have also taken note of the emerging public safety implications of vehicle connectivity which has led to bills such as the 2015 Spy Car Act, proposed by Senators Markey and Blumenthal, as well as the Security and Privacy in Your Car Study Act of 2017. Relevant government agencies have also produced reports such as the Cyber Security and Resilience of Smart Cars by the European Union Agency for Network and Information Security (ENISA) and the US National Highway Traffic Safety Administration’s (NHTSA) Federal Guidance for improving Motor Vehicle Cybersecurity and NHTSA and Vehicle Cybersecurity.
In 2013, heavy duty trucks and commercial vehicles transported over $11.5 trillion of goods in the US alone. A pillar of the American and world economies, the trucking industry is powered by connectivity technologies that improve fleet efficiencies, streamline deliveries, reduce down time, fuel costs and more. These technologies also hold the promise of pushing profit margins through new innovative functions such as platooning, accident avoidance, preventative maintenance and lowering driver turnover rates.
Although critical to the competitiveness of trucking and commercial fleet operators, connectivity makes these vehicles and their operators lucrative targets for hackers naturally motivated by the money. But money isn’t the only factor influencing the appeal of cyber attacks on trucks – the common communication standard, J1939, in widespread use amongst trucks and many other commercial vehicles, makes it possible for cyber criminals to craft “one size fits all” attacks that are instantly scalable. This puts fleets responsible for trillions of dollars of goods at risk as the financial incentive is clear and developing attacks is actually easier than in consumer cars.
Moreover, in the same way consumers expect advanced services powered by connectivity without having to give up safety or privacy, fleet operators need functions such as routing and remote diagnostics just to stay competitive; fuel, driver wages and maintenance costs account for approximately 62% of all trucking expenses. Connected truck technologies promise to reduce all three.
The benefits of truck connectivity are driven by the transfer of vast amounts of telematics data over the Internet through a component known as the telematics gateway unit (TGU). However, as the TGU communicates with the outside world, it exposes truckers and fleet operators to would be hackers. Researchers have even shown how to access and compromise personal and corporate information governing payroll, delivery schedules, the in-truck network and more.
As thousands of these truck TGUs can be found and accessed without any authentication on the public Internet, the industry should move swiftly to retrofit aging fleets devoid of any security apparatus and to bake cyber security into the entire development cycle and lifespan of future truck lines.
Watch: Consumer Reports explore car hacking
from inside a government test lab