The hackers watched the ship’s captain through dozens of vehicle cameras. They used the zero-day exploit in her car’s infotainment system to access applications on her personal phone, viewing her calendar and emails. The same exploit allowed them to access her government-issued cell phone as well and read through emails with sensitive unclassified information. From her assigned parking spot, closest to the ship, they observed the ship’s crew loading stores for an upcoming deployment in three days, and contractors working on the ship’s masts. That afternoon, the hackers gained access to the infotainment system of the government vehicle she drove to a meeting through malware uploaded to her cell phone from her car. Using the vehicle’s cameras, they obtained the vehicle information of the other attendees.
While the captain drove her daughter to karate, the hackers used vehicle location data from surrounding cars to determine she was approaching a stretch of heavy traffic. The hackers then entered commands that allowed them to take control of her car, disabling the braking system and causing the car to accelerate into traffic. Unable to stop, she crashed into the car ahead at 60 miles per hour.
The hackers severed the connection, knowing the ship would not get underway as scheduled, and began hacking into the vehicles of the other attendees of that day’s carrier strike group meeting.
Telematics, Interconnectivity, and Threat Vectors
Whether it be Tesla’s work to improve its autopilot or Google’s efforts at autonomous vehicles, sophisticated information technology within vehicles has become increasingly common. Automotive manufacturers increasingly rely on artificial intelligence, Wi-Fi, and a bevy of internal computers, prompting some to note that your car is likely the most advanced computer you own.
In 2017, the Government Services Administration (GSA) began requiring all government-owned and leased vehicles install telematics to improve fleet management. According to the GSA, “Telematics is a field of information technology that combines telecommunications and informatics to send, receive, and store data connected with fleet vehicles.” The initiative intends to drive down costs by optimizing maintenance, driver behavior, fuel use, and other aspects. The GSA contracted exclusively with Geotab USA, which provides a “plug-and-play” device that connects to a vehicle’s On-Board Diagnostics II port.
Various cybersecurity professionals noted the increasing number of vulnerabilities in new vehicles, including the use of after-market applications and the possibility to exploit tire pressure monitoring systems, vehicles’ onboard Wi-Fi networks, and key fobs and digital keys. The entry of telematics companies provides an additional set of vulnerabilities, as malicious actors can potentially exploit the companies’ software and hardware. The increasing levels of technological interconnectivity provide new means for malicious actors to affect our lives. While much of this remains rather labor intensive and thus unlikely to be the focus of independent hackers, it remains a vulnerability that state actors could dedicate the resources to exploit.
Plugging in Your Vehicle and Unplugging Your Mind
As vehicles become increasingly connected and technology-dependent, they become sensors collecting various data points. And as users add additional technological features or integrate more technologies such as Apple CarPlay, those vehicles increase their data collection capabilities. The integration of phone apps into the vehicle’s infotainment system allows vast amounts of personal data to be collected and accessed by the carmaker, app maker, third parties, and whoever else that data is sold to or shared with.
Newer vehicles collect ever-increasing amounts of data, both about the vehicle itself (location, fuel status, etc.) and about the driver (acceleration, braking, etc.), and this data is increasingly being transmitted beyond the vehicle. Carmakers often tout the ability to use a cell phone to perform any number of functions, from locking or unlocking the doors, tracking vehicle location, and the ability to start the vehicle and drive it without keys. In addition, carmakers are looking at implementing digital keys with digital displays or outright eliminating the need for keys and syncing the car to your phone. These increasing digital connection points provide new vulnerabilities for malicious actors, including the ability to compromise a driver’s phone as an entry point to their vehicle’s computer systems.
Most people do not really understand the technologies that they use in cars. For example, most drivers assume their cars have one computer that operates everything, when in reality most new cars have about a half-dozen computers that generate more than 300 gigabytes of data per hour, five times as much as a base model iPhone 12 can store. Some of those same people who declare they will never drive a car with artificial intelligence will use the adaptive cruise control in their new car so they can have text message conversations using their phone’s digital assistant. Even users with a basic understanding of the technology are content to take the figurative backseat and allow the technology to drive.
Drivers generally prioritize convenience over security and most still believe vehicle hacking is a Hollywood gimmick, despite the Federal Bureau of Investigation warning otherwise. Thus, drivers will gladly sync their phones to their cars without considering how the data may be exploited. Most newer models enable carmakers to collect data from connected phones, and the privacy statements and user agreements do not provide any meaningful indication of how they intend to use that data, how that data is stored, and what notifications, if any, an individual would receive if their data was compromised.
Big Data: Oh, the Places You’ll Go
Data security is another complex facet of vehicle automation. The data companies such as Geotab collect may be secured through encryption and authentication, but that only addresses some of the ways the data could be accessed. As telematics companies look to expand their services and customer base, they are increasingly partnering with local and state governments to provide traffic data for city planning and infrastructure improvements. Unfortunately, state and local governments are prone to cyberattacks and intrusions because of their weak cybersecurity.
As noted by Forbes, Geotab provided telematics data to Las Vegas and Detroit to assist city planners, and it is likely this data remains on the cities’ servers. Malicious cyber actors could potentially target these servers and obtain the relevant data. State governments are potentially just as vulnerable, and the 2020 SolarWinds hack demonstrated even the federal government can be compromised. The Federal Acquisition Service, which manages motor vehicle fleet management programs—including the government’s contract with Geotab—was one of the agencies potentially affected by the SolarWinds hack.
Malicious actors could also target private industry partners. Eaton Transmission, which produces transmission systems for medium- and heavy-duty trucks, has partnered with Geotab to obtain data on how its transmissions perform in the daily use situations. Adversaries looking for specific data sets could opt to identify less-secure commercial partners instead of hacking the telematics company. In addition, increasing automation could allow them to import malicious code through other vehicle systems or over-the-air updates to such systems.
For telematics companies, sales of aggregated user data to third-party companies provides another vulnerability for data management. Once the data leaves a company’s control, it becomes much harder to ensure its security. App companies have exploited the lax regulations around user data to profit from selling data, to include aggregated data stripped of obvious identifiers to other companies. This practice has garnered increased media attention recently, as data brokers repackage and resell data to companies, organizations, and individuals that neither the user nor the original app company would approve accessing that data.
Patterns of Life
Adversaries can determine patterns of life using car cameras, providing a surreptitious means for conducting target selection and pre-attack surveillance. Such surveillance can also be used to identify compromising information on potential intelligence sources. For example, adversaries could blackmail an intelligence analyst into providing classified material after observing the analyst having an extramarital affair, based on accessing vehicle location data and cameras, and cross-referencing against other publicly available information sources.
Organizationally, adversaries could also identify the patterns of life at facilities and bases. Significant increases in vehicular activity could be used to determine military actions, such as preparations for deployment. Accessing the location data for contractor vehicles could provide information about facility or ship maintenance and accessing those vehicles’ and government vehicles’ cameras could provide information about security procedures, details about various shipboard and land-based systems, and the purpose of specific structures.
The Fallacy of the Hermit Car-dom
The answer to all this might seem to be to unplug and operate off the grid. However, while that is a viable short-term option, it presents issues in the long-term. In an increasingly interconnected world, those operating off the grid might become easier to identify and target. Thus, adversaries could potentially identify unconnected vehicles and targets faster than interconnected ones. For example, by monitoring highway traffic system cameras and detecting vehicles via their internet protocol addresses, malicious actors could identify both an unconnected vehicle and those interconnected vehicles operating in its vicinity, providing potential access to cameras to obtain further information, such as make, model, license plate, and driver description, which could then be compared to vehicle registration and licensing data gained through illicit means such as the dark web.
A Ride to Die For
So far, the main risks discussed have been those of data collection and exploitation. However, telematics and automotive technologies also provide another threat vector: Sending signals to vehicles to operate differently than the driver intends. Malicious actors, having gained access to the vehicle’s control systems, could signal a car to accelerate when the driver is stepping on the brake, or to make the vehicle think it is drifting out of a lane when it is not and cause the vehicle to turn.
These scenarios are frequently considered in terms of single-vehicle incidents. But it would be possible for malicious actors, having gained access to several vehicles operating in close proximity, to create multiple-vehicle crashes that close thoroughfares and major roadways. It might even be possible for a malicious actor to target a specific individual, either by compromising his or her vehicle, or using other vehicles to attack the individual’s car. Malicious actors might also be able to carry out misattributed terrorist attacks by using hacked vehicles to attack large groups of civilians. Imagine several police vehicles being hacked and ramming large groups of protestors during a march, and the ensuing social divide such a situation might cause. Even with overwhelming evidence of a malicious hacking, trust between the community and law enforcement could be significantly damaged.
Understanding the Risks
As with most new and emerging technologies, there exist few easy solutions. It is not feasible to prohibit personal vehicles on military installations, and it is unlikely the GSA will change course and remove telematics from government vehicles. Local commands could implement restrictive policies, such as prohibiting members from connecting their personal cell phones to a government vehicle’s infotainment system, but such policies would be difficult to enforce. As with many new technologies, it will likely take significant breaches and the potential loss of life for carmakers to view their vehicles’ cybersecurity as important as the capabilities they provide.
Until such time, or until legislation regulates such vulnerabilities, commands can only be vigilant in recognizing these vulnerabilities and taking prudent steps to mitigate such risks, to include regular security updates and patches. As such, commands need to empower and resource fleet managers appropriately to keep the government vehicle fleets operating safely and securely. Furthermore, the GSA should require a comprehensive cybersecurity audit of Geotab (or any future telematics company it contracts with) to identify and patch potential vulnerabilities. The GSA should also conduct thorough software forensic examinations of government vehicles involved in accidents to determine if malware contributed directly or indirectly. Without looking for these threats and vulnerabilities, members, commands, and fleet managers will continue to be exposed to the risks presented by increasing interconnectivity of the vehicles they drive every day.