Security Breaches in IoT Enabled Vehicles a Cause for Growing Concern

How smart is a smart device? Unfortunately, not always as clever as a hacker trying to use it to capture valuable data.

In 2017, Darktrace, a cyber artificial intelligence (AI) firm providing advanced security monitoring, released a report highlighting an attack that exposed critical data of high rollers at an undisclosed casino. One can only imagine how many safeguards were put in place to protect that information. Regardless, the hackers found a unique way to gain access: through a smart thermometer in a fish tank.

The thermometer was designed to communicate data such as the temperature of the tank’s water and cleanliness. After tapping into the sensors, however, the hackers were able to use that open door to access and send out confidential data to a device in Finland.

“The attackers used that to get a foothold in the network,” Nicole Eagen, CEO of Darktrace explained at an event in London that year. “They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud.”

Turning the clock back on the Internet of Things

The term IoT (Internet of Things) was first coined 20 years ago. It combines internet and cloud technology with system networking technology, including sensors which gather data, and hubs that transmit that data.

While there was much enthusiasm surrounding devices that could connect to the internet and share data, skeptics were convinced the concept was doomed to fail. Despite the naysayers, IoT continues its march across our technologically-charged world. Unfortunately, consumers are often lulled into the assumption that easier user access equates to stringent security.

While the fish tank hack job is possibly a unique example, the threat isn’t confined to devices. In fact, hackers have taken their show on the road, so to speak, using their nefarious skills to tap into vehicles. At best, this could mean data is captured. At worst, it could lead to fatalities on the road if a vehicle is remotely highjacked.

IoT security and personal vehicles

Imagine driving down the road at 70 mph just outside a large city. Suddenly, the Jeep you are driving blasts cold air from its vents, and your climate-controlled seat follows suit. Then, your wipers randomly turn on and wiper fluid starts squirting on your windshield. Despite your frantic attempts to accelerate, your car starts to slow down to a crawl.

This happened to Andy Greenberg in a 2015 experiment.

Fortunately, these hackers were the ‘good guys’: Charlie Miller, a Twitter security researcher, and Chris Valesek, Director of Vehicle Security Research for IOActive. Their research has uncovered significant vulnerabilities in connected cars. Ten miles away from Greenberg’s Jeep, the two proved they could hack into a vehicle. They have been able to:

• Disable brakes
• Engage the horn
• Pull on seatbelts
• Project images on the dashboard’s display
• Influence the transmission
• Change music
• Kill engine function at low speeds

How did this happen? For Miller and Valesek, the point of entry was via Uconnect, a telematics system that taps into the internet to connect phones, entertainment systems, and navigation. Once the entertainment system’s hardware was accessed, they were able to recode the firmware to transmit messages to the rest of the car’s computer network.

Uconnect is found in many different makes, including Jeep, Chrysler, Dodge, FIAT, and Ram. However, it is only one of many other telematics systems in vehicles, such as GM OnStar, Toyota Safety Connect, Hyundai Bluelink, and Infinity Connection. Consequently, there is no one patch to safeguard against hackers.

Another potential entry is through the Controller Area Network, also known as CAN bus. This allows communication between the sensors and the ECUs, or electric control units. There can be up to 70 ECUs on a vehicle, including:

• Airbags
• Engine control units
• Powertrain control units
• Transmission control units

These ECUs are often upgradable through their firmware. As Miller and Valesek were able to prove, firmware can be changed remotely.

Security vulnerabilities can impact commercial vehicles

Consider the technology of today’s average car. Business Insider suggested that in 2021, there will be 94 million cars shipped, with 84% of those vehicles equipped with IoT technology. Furthermore, while there were 36 million connected cars on the road a few years ago, by 2020, there will be an estimated 381 million connected vehicles.

Passenger vehicles are one thing, but imagine if a trucking fleet were hacked. Consider the world that Stephen King conjured in his short story, “Trucks”, which was turned into horror movie Maximum Overdrive in 1986. What would happen if a fleet of commercial trucks suddenly ‘came alive’ like the homicidal vehicles in the movie?

Sometimes, fiction is mere steps away from fact.

In 2016, the University of Michigan’s cybersecurity research team reported that they were able to hack two large vehicles: a 2001 school bus and a 2006 class 8 semi-trailer. On a commercial vehicle, the standard for networking and communication is called SAE J1939.

“We find that an adversary with network access can control safety-critical systems of heavy vehicles using the SAE J1939 protocol,” the researchers wrote.

Business research and consulting firm Frost & Sullivan has been monitoring the developments of security threats in commercial vehicles. The firm has pointed out another temptation for hacking into fleet vehicles.

“Commercial vehicles carrying high-value goods prove more lucrative in the eyes of hackers in comparison to hacking a passenger vehicle,” Sathya Kabirdas, research director for Frost & Sullivan stated. “There is an elevated risk for cybersecurity attacks in case of industrial equipment, hi-tech electronics, and pharmaceuticals which can be valued from a few hundred to several million euros.”

The Bureau of Transportation Statistics outlines five major transportation modes to move commodities—truck, pipeline, vessel, air, and rail—with trucking being responsible for 60.2% of all freight. In the US alone, trucking moved 10.77 billion tons of freight.

Measures being taken to address potential security breaches

“I Am The Calvary” is an organization that looks at issues surrounding computer security, public safety, and human life. In an open letter to the automobile industry, they outlined a Five-Star Automotive Safety Program:

1. Safety by design. This measure calls for additional safety through design, development, and testing.
2. Third–party collaboration. Encouraging collaboration between the automotive industry and security researchers through coordinated exchanges and events such as hackathons, and incenting researchers (such as Miller and Valesek in their Jeep experiment) to look for vulnerabilities.
3. Evidence capture. This includes thorough safety investigations to uncover design defects, malfunctions, or intended attacks.
4. Security updates. As breaches are uncovered and disclosed, it is critical to quickly implement ‘patches’ to update those problems.
5. Segmentation and isolation. If there is a breach, systems should operate to quarantine that area so hackers cannot do further harm.

Grass-roots organizations aren’t the only ones tackling the security issues. The National Highway Traffic Safety Administration (NHTSA) developed a document on vehicle cybersecurity. As early as 2016, they generated several projects in conjunction with vehicular security measures, including research on:

• Anomaly-based intrusion detection systems
• Cybersecurity for large, or heavy, vehicles
• Firmware updates
• Reference parser development for V2V (vehicle-to-vehicle) communication
• V2V and vehicle-to-infrastructure communication
• On-premises research at the VRTC (Vehicle Research and Test Center)

Lawmakers are also debating legislation introduced in 2019 to tighten up cybersecurity. Some has already been signed into law. For example, the proposed Cyber Diplomacy Act would encourage government agencies to adhere to proper behavior in cyberspace. Also proposed is an amendment to the California Privacy Act to employ stricter security measures.

In fact, as recently as June 27, 2019, the US Senate passed a bipartisan cybersecurity bill. While it addresses potential attacks on the energy grid, lawmakers are actively addressing the need to tighten up measures with cybersecurity.

As Maine’s Independent Senator Angus King stated: “As our world grows more and more connected, we have before us both new opportunities and new threats. Our connectivity is a strength that, if left unprotected, can be exploited as a weakness.”

Vehicle hacking is not limited to on-the-road vulnerabilities

When considering vehicular threats, it’s important to note that security vulnerabilities of personal, commercial, or trucking fleets are not limited to what is onboard. There are other ways to collect data on vehicles through malicious means.

Consider, for example, telematics businesses which combine GPS technology with advanced sensors to track items such as speed, idling time, and breaking and turning habits. With dynamic billing capturing a fixed expenditure, such as a device, as well as usage, like the different data that is measured, telematics businesses can easily bill for changing invoices on a recurring basis.

However, information such as customer and credit card data can be vulnerable to security breaches. To address this, businesses should employ a recurring billing platform that is PCI Level 1 compliant.

What is PCI compliancy? The Payment Card Industry Security Standards Council (PCI SSC) established a set of rules to protect credit card data. Within those rules are four levels of compliancy, as outlined by the number of annual transactions.

PCI Level 1 compliant platforms like Stax Bill can handle over 6 million transactions on an annual basis. With the stringent requirements of a subscription management platform, businesses can trust a PCI Level 1 software provider. Compliance provides confidence that the payment information being collected is protected.

Whether it’s an attempted attack on your payment platform or a breach via your vehicle’s entertainment system, security threats are not going to subside.

If anything, they will continue to grow and become more sophisticated, continually aiming to circumnavigate security measures. Businesses of all sizes face risks and obligations of due diligence.

Security breaches can be damaging, expensive and could even close a business down. Every business that deals with IoT-enabled vehicles needs to stay informed about, prepare for, and actively manage these risks.