According to the National Highway Traffic Safety Administration, hackers may be able to access a vehicle’s systems via a phone or tablet connected to the vehicle by USB or Bluetooth. The vehicle’s diagnostic port is another access point.
But a vehicle’s biggest vulnerability may be behind the wheel. According to a November 2016 blog post published by Promon (see https://promon.co/blog/tesla-cars-can-be-stolen-by-hacking-the-app/), a Norwegian firm that specializes in app hardening, the company’s researchers demonstrated just how easy it is to trick a Tesla driver into giving a hacker access to the car’s systems. Tesla, like many vehicle manufacturers, offers a remote app that allows the driver to unlock the vehicle. During the experiment, Promon employees:
• Created a free Wi-Fi hotspot.
• Developed an ad for Tesla drivers that offered a free hamburger at a local restaurant if the driver downloaded a particular app.
• Used the app to gain access to the Tesla driver’s username and password.
• Located the car and used the Tesla app – and the previously captured username and password – to access the vehicle.
• Drove away in the Tesla.
Get Ahead of the Curve
When UFP spoke with Matt Gilliland, director of transportation and facilities for Nebraska Public Power District, he indicated that cybersecurity in vehicles was not historically a fleet management “care about,” but change is definitely on the horizon.
“The connectivity of our fleet is very limited,” he said, before noting that NPPD uses telematics and GPS intelligence, and that the fleet contains a limited number of new vehicles with Bluetooth capabilities. All of those are potential entry points for hackers and cyberattacks. In 2016, 3.6 million vehicles were recalled to fix cybersecurity issues; that figure is double the number recalled in 2015, according to the NHTSA, and this comes before vehicle-to-vehicle and vehicle-to-infrastructure connectivity has really taken off.
“Technology grows and advances so fast that a lot of utilities and fleets are going to find themselves behind the curve,” Gilliland said. “I think it’s going to be a significant concern and will maybe catch a lot of us unaware.”