Telematics and Software-Defined Vehicles Create New Fleet Risks

Telematics and Software-Defined Vehicles Create New Fleet Risks

April 11, 2024

Telematics is a valuable fleet technology. It's also hackable. You may have modern vehicles with embedded onboard systems or retrofitted telematics that integrate into your transportation management system. 

Electric vehicles (EVs) have changed how vehicles are fueled and triggered rapid technological advances. These include the emerging market of software-defined vehicles (SDVs). Modern onboard systems and connected cultures have shifted the perspective of vehicles from separate machines to an extension of the Internet of Things (IoT). And, as with many IoT devices, the risk of hacks is high.

Telematics hacking risk

Telematics is a piece of the transportation management system that requires additional cybersecurity protocols. This problem becomes even more complex if the telematics are retrofitted systems not part of the original vehicle. Criminals are counting on cybersecurity gaps to infiltrate your systems. 

According to Heavy Duty Trucking magazine, fleets of all sizes are vulnerable. Smaller fleets might not think they have risk exposure, but cybercriminals don’t discriminate. Trucking is an essential part of the supply chain, and one way to disrupt that flow of goods is to shut down its operational systems. If trucking companies can’t run system diagnostics, plan routes or alert drivers to unsafe cargo shifting, they could lose opportunities and profits. 

Cybercriminals might hack a system for reconnaissance on cargo contents and routes to deter deliveries. The most common types of telematics attacks are:

  • Malicious and unintentional backdoors into software
  • Malware attacks
  • Phishing
  • Piracy
  • Unauthorized enterprise resource planning access

Electric vehicle supply equipment

Another weak link criminals manipulate is electric vehicle supply equipment (EVSE), or charging stations. EVs communicate with EVSEs during charging to establish a connection or provide added benefits like power demand management or payment options. Payment options include external credit cards and plug-n-charge systems embedded into the vehicle. Embedded options are convenient but expose more data during the charging process. 

Establish guidelines on what charging stations to use and how to pay. Vet your EVSE vendors, and only choose those that use payment channel encryption and secure charging units. Share your preferred EVSE vendor list with your drivers and build them into your route planning. Create a response plan for drivers to alert their fleet managers if they suspect a cyberattack while charging.

Autonomous vehicles

As autonomous vehicles and advanced driver-assist technologies progress, SDVs may shift the focus away from driving and toward experiences and vehicle performance, such as: 

  • Onboard infotainment
  • Mobile phone and device integrations 
  • Upgraded vehicle performance
  • Remote work technology and software
  • Wi-Fi speed
  • Vehicle charging speed
  • Artificial intelligence
  • Augmented and virtual reality access
  • Repairs and diagnostic tools

As vehicle services advance, so do paywalls that prevent drivers from accessing features without adding subscription plans. Some auto manufacturers have already adopted a subscription-based payment model for ongoing service access. 

Unauthorized repairs versus right to repair

EVs have highlighted a decades-long debate on consumers’ right-to-repair laws and whether those laws create a cybersecurity risk.

Consumers across the globe have petitioned for laws allowing customers and independent shops to repair devices, vehicles and farm equipment. Advocacy groups want repairs to be unhindered by software programming. They lobby for access to the same diagnostic codes, tools and data that vehicles send to manufacturers. 

According to Upstream’s 2023 Global Automotive Cybersecurity Report, EV owners sometimes attempt to crack their cars' original equipment manufacturer systems for self-repairs and upgrades. But installing unauthorized software may expose owners to malware, spyware and ransomware. Unauthorized repairs can also invalidate warranties and void insurance coverage. 

Even so, consumers continue to petition state legislators for right-to-repair laws allowing them access to manufacturer diagnostic tools. Some auto manufacturers refuse to comply with state laws because of the cybersecurity risks. 

Massachusetts law requires auto manufacturers to give owners and mechanics access to the diagnostic data their vehicles send directly to dealers and manufacturers for maintenance and repair. In response, some auto manufacturers have removed telematics and wireless systems from the cars sold in that state. 

Inform drivers that it's not a question of autonomy, but security. Overriding systems for advanced features is unacceptable because of the hacking risks. Criminals know how to work around manufacturers’ applications and actively exploit them as entry points. (They may even seed "helpful hints" posts specifically for that purpose.)

Be vigilant about fleet cybersecurity 

Fleet cybersecurity is in its infancy, but the risks are becoming evident. Reduced driver distraction and increased efficiency often sell fleet telematics, but cybersecurity and support should be significant factors in your decision-making process. When considering a vendor, ask:

What kinds of cybersecurity is the technology built on? What are the known vulnerabilities? Be especially wary of aftermarket installations and telematics systems with fancy onboard features that lack cybersecurity. 

And remember, no system is hack-proof. Choose a telematics vendor that supports its products and works with your cybersecurity team. Ask them about the threat modeling system they followed when designing their telematics system. 

Your transportation management system vendor should be transparent with your IT team. If you don’t have an internal IT team, you can hire a third party to evaluate the telematics systems you’re considering. Include things like: 

  • Threat modeling (identifies the cybersecurity threats to a particular system)
  • Documentation and literature review (reviews standard operating procedures for cyber threat events)
  • Reverse engineering (analyzes the software’s functionality and flow to understand how it operates)
  • Network and radio spectrum analysis (evaluates the quality of signals over a spectrum of frequencies and troubleshoots connectivity and performance issues)
  • Penetration testing (reveals security weaknesses through intense stress testing)
  • Fuzz testing (feeds random invalid or unexpected inputs into a system to see what breaks)

What kinds of security patches do they offer? For how long? Your telematics vendor must be there for the long haul when it comes to cybersecurity. Threat actors invest time in reverse-engineering cybersecurity across technology, including connected systems like telematics. Infiltrating a weak link, like a failed driver device, could be what they need to crawl your systems and access financial records and client data. 

Make sure your telematics and SDVs offer security patches and provide notice so you can plan for upgrades. Notice is important because you and your drivers will know the patches are legitimate, not cyber schemes.

How does the system handle unvalidated patches? 

Have a plan for update failures. For example, rather than overriding a suspicious system patch, some systems shut down until the update is validated. But should they shut down even if it could cause delays or harm drivers? Test out scenarios with your telematics vendor and cybersecurity team.

What is the overall risk of using (and not using) a connected telematics system? 

Take time to validate all threats, from computer data breaches to driver safety. Methodically evaluate your fleet risks using a proven methodology like the National Institute of Standards and Technology Cybersecurity Framework.

What kind of security comes with SDVs and connected systems?

Ensure your vehicle manufacturer encrypts communications over cellular or wireless networks. Your fleet vehicles are connected to your system’s network and can be used to break into it.

Configure your telematics connections to vehicles as read-only and turn off write-access to vehicle electronic control units so hackers can’t inject malicious code. Layer the cybersecurity methods on your vehicle devices to block access to the more extensive telematics network. This will prevent criminals from gaining admission to one device and crawling your system to access sensitive data. 

Manufacturers should ensure that default passwords and configurations are customized. (Hackers have extensive knowledge of manufacturer passwords and configurations they sell or share on the dark web.) Use cryptographic keys for each telematics device so one key can’t be used across all of them.

Employ a vehicle alert system to detect attacks and train your drivers to take protective action. That means developing a cybersecurity response plan for your drivers and fleet managers. 

Invest in a cybersecurity and incident response plan

A cybersecurity response plan is no longer optional in the age of telematics and SDVs. 

Cyber liability insurance is essential, and it’s becoming more competitive. Some insurance carriers ask for proof of cybersecurity protocols and good cyber hygiene. A written response program can help the insurance underwriting team make informed decisions about your fleet’s risk. It also helps your broker or agent present your company positively when marketing your application. 

A response plan helps you educate your employees on how to react to ransom attacks, phishing schemes, deepfakes and other cyber threats. They’ll know how to spot a scam and who to contact if hacked. That’s good business, even if you’re not applying for cyber coverage.

Use the Federal Energy Management Program’s resources to get started on your cybersecurity initiatives.