Cyber Security and the Connected Car – Part 1
As you approach your car, the doors unlock without you ever removing the keys from your pocket. You have a seat; push a button, and the engine fires up. The bright screen of your infotainment system welcomes you. It’s 5:15pm on a Tuesday. Your car knows where you’re going. “13 minutes to home. Take Main St.” pops up on your navigation display. You pause for a minute, deciding whether you want to stream that new song you downloaded from iTunes, or make a quick call. You decide on the later. You push a button on the steering wheel and say aloud “call home”. Your phone never left your pocket. After speaking with your spouse, you’re in the mood for some tunes. Another button. “Play music”, you say. Music fills the cabin. Your phone still securely in your pocket. After you arrive home, you realize you forgot to lock your car doors. You take out your phone, fire up an app, and a few taps later, you’ve locked your doors remotely from the comfort of your living room.
From Bluetooth to OnStar, 4G LTE to Apple Car Play & Android Auto, today’s cars are being jam-packed with features aimed at keeping on-the-move drivers in touch with the outside world. Long gone are the days of uninterrupted windshield time. Today’s drivers demand to be connected to their lives beyond the vehicle, and manufacturers are delivering.
But the advent of any transformative technology brings with it associated challenges and risks. According to industry experts, cyber security is poised to be one of the industry’s toughest challenges over the next decade.
In 2014, over half of the vehicles sold in the United States were connected, thus vulnerable to cyber attacks. And within the next 5 years, there are expected to be over a quarter of a billion connected vehicles on the road globally. This provides plenty of targets for hackers, terrorists, and other nefarious actors.
While malicious cyber-attacks have yet to materialize, researchers have been able to demonstrate the possibilities. In 2013, White-hat hackers were able to take control of both a Ford Explorer, and a Toyota Prius, disabling the brakes, honking the horn, jerking the seat belt, and commandeering the steering wheel.
In 2015, researchers were able to remotely hijack a Jeep’s digital systems over the internet. This allowed them to adjust the climate control, command the infotainment system, and even cut the transmission, thus rendering the accelerator useless. Their exhibition resulted in Chrysler recalling 1.4 million vehicles.
And at the 2016 Black Hat Security Conference, famed car hackers Chris Valasek and Charlie Miller demonstrated their ability to remotely take control of a Jeep’s braking system, turn the vehicle, and even render the vehicle’s power steering inoperable.
But just because a car is capable of being manipulated doesn’t mean there are any significant business concerns, does it?
Fleets Make For Ripe Targets
Up until now, we’ve been discussing examples of vulnerabilities that can be exploited to manipulate the actual function of a vehicle. However, maybe just as concerning, especially for fleets, would be the potential for nefarious actors to infiltrate your cyber security and access information.
Connected vehicles are full of data which, in the wrong hands, could have dire consequences for a business. Imagine the impact a breach of proprietary information stored on any telematics system that a vehicle is connected to, or any device that’s paired via Bluetooth, could have. Imagine a hacker being able to eavesdrop on any conversation that’s routed through a vehicle’s speakers. Imagine competitors getting a hold of the exact location (and previous locations) of every connected vehicle in a fleet.
Think about all of the information contained on a single salesperson’s phone. Trade secrets, client and prospect lists, CRM system information, pricing information, confidential conversations, etc. All of this data could be breached and held for ransom, or worse divulged to a company’s competition.
Above and beyond the consequences to business operations, the potential liability to a company in the event of a breach of personal information can be massive. In 2016, Home Depot agreed to a $19.5 million settlement over a 2014 data breach. Earlier this year, Target decided to settle for $18.5 million as a result of their 2013 breach. And just this month, Anthem Inc. agreed to pay a record $115 million to settle litigation over their 2015 data breach.
While those are very large corporations, for most companies, a hit even a fraction of that size could be disastrous.
So with all of this potential risk, what can a fleet do to protect themselves?