Cybersecurity Insight

Hacks on Third Party Applications Pose Hazard to Long-Haul Vehicles

11 Mar

Previous posts have addressed the security issues surrounding vehicles, third party applications and IoT – specifically, what barriers are in place to stop hackers from not only stealing data from your car, or even taking complete control over your vehicle and put you and your passengers in harm’s way? Newer vehicles are coming direct from factories with all the bells and whistles drivers need to stay constantly connected. Essentially morphing into driving hotspots through third party applications, plenty of white hat hackers have proven that these tools are not secure and automakers need to take immediate control of the situation. Now it is starting to become a very real issue facing truck drivers and emergency vehicle personnel; somehow a large 18-wheeler barreling down the highway seems slightly more intimidating than a Prius…

Sarcasm aside, Wired Magazine broke the story after hearing about the data collected by Spanish security researcher and EyeOS CTO Jose Carlos Norte.  By scanning for third party applications called “telematics gateway units” or TGUs (small radio-enabled devices that track location, gas mileage and other data) on long-haul vehicles and narrowing down to those that aren’t password protected, Norte could have easily interfered with everything from the steering to speed controls. Thinking about it in smaller terms, imagine the vehicles that come equipped with autonomous parking capabilities – or, taking it a step further, Google’s self-driving car. Now, imagine if a hacker was able to break into that vehicle’s system. How is the driver and their data protected?

Unfortunately automakers are balking when it comes to taking the blame for this security inconsistency with regard to third-party applications installed in their vehicles. At this year’s RSA Conference, studies were released that showcased a resounding sentiment from those polled – though a separate company may have created the third-party applications installed in cars across the country and around the world, the carmakers should be held accountable if a breach were to occur. Another troubling tidbit? Surveyed carmakers, including Fiat-Chrysler, estimated that it would take 1 – 3 years for their technology to catch up with the growing cyber security protection demand for their vehicles. Consider this a major case of the automobile manufacturer’s wanting to run before they’ve even learned to walk.

Currently there are a lot of third party applications on the market, and more will be released without much thought to the cyber security issues at hand. For example, Zubie is an external piece of hardware that, when attached to your car, can store your car’s diagnostic data. Not a huge deal, but it’s taken a step further – this same device can turn your car into a rolling hotspot provided you’ve signed up with an LTE carrier. One day they even hope to be able to send your car’s information to the repair shop of your choice so they can alert you about necessary testing before you’re even aware it needs to happen! Helpful? Sure. Unsettling that nothing is mentioned about their cyber security measures to protect this data? Absolutely.

What can be done? Until carmakers and third party application developers are able to work together on cohesive cyber security tactics for their vehicles, it is very much an unknown. While being diligent about what data goes over both secured and unsecured connections is always a must, consumers may be holding their breath until the other shoe drops in this cyber security situation.