Vehicle fleet level security, architecture, and vulnerabilities

The black market is increasingly interested in connected vehicle app credentials, such as usernames and passwords, PIN numbers, and Vehicle Identification Numbers (VINs) for various makes and models of vehicles, according to Kaspersky. The rate per account is in the hundreds of dollars. Servers can also be targeted and compromised, as happened in May when Renault-Nissan was hit by the WannaCry ransomware assault, which forced five of its factories to shut down entirely for the length of the attack.

At Cyber Polygon 2020, WEF Founder Klaus Schwab warned about a “cyber pandemic” that could bring a complete halt to the power supply, transportation, hospital services, our society as a whole. “A single day without the internet would cost our economies more than $50 billion, and that’s before considering economic and societal damages should these devices be linked to essential services, such as transports or healthcare”, he added. Speaking at a National Governors Association meeting, Elon Musk also remarked that “one of the major concerns for autonomous vehicles is someone accomplishing a fleet-wide hack,”. The vulnerabilities of vehicle fleets in its architecture includes command and control servers, over the air (OTA) servers, and vehicles. The control over the vehicle’s functions, such as starting/stopping the engine, locking/unlocking the doors can be abused by command-and-control telematics servers. The OTA servers may be used to disseminate malicious firmware upgrades across a whole fleet of vehicles. Vehicles may be used to get complete access to other vehicles as well as servers. Each component of this design may be exploited as a hacking vector for the whole fleet. These threats have already shown themselves as attacks on many levels. Researchers from Kaspersky Labs were able to perform a man-in-the-middle attack and hack into several connected-vehicle Android applications, exploiting security weaknesses that allowed them to locate a vehicle, unlock it, and, in some circumstances, start its ignition. Security researcher Samy Kamkar demonstrated wireless interception of credentials from iOS apps like GM’s OnStar, Chrysler’s UConnect, Mercedes-Benz mbrace, and BMW’s Remote using a small piece of hardware hidden in a vehicle. Any of these layers in the fleet architecture can be attacked, and the results can be devastating. From endangering or killing drivers and passengers to causing physical harm to people, vehicles, cargo, highways, and cities, as well as crippling operational disruptions and financial losses.

An effective security solution for vehicle fleets must look at the entire picture of the fleet rather than just the vehicle. It must be able to collect and comprehend data from all levels of the fleet architecture – vehicle, driver, app, and server – as well as understand the context of events in order to detect anomalies in fleet behavior.