In 2017, millions of moviegoers flocked to theaters for the eighth Fast and Furious movie, where they watched a villainous Charlize Theron take control of hundreds of self-driving cars. Whether they knew it or not, this was many viewers’ first exposure to the idea of a transportation-based cyberattack. And while this specific scenario is not likely to happen, the danger of cyberattacks against connected vehicles is very real—and the movie isn’t as far from reality as you might think.
Recent reports estimate that 250 million IoT-enabled vehicles will be on the road by 2020 as demand for tools like smart driving assistance, car monitoring and geolocation services, predictive maintenance, improved fleet management, and more, continue to rise. Although these tools offer both consumers and businesses exciting new conveniences, millions of connected vehicles means millions of new targets for cyberattacks. The 2019 Sonic Wall Cyber Threat Report indicated that 32.7 million cyberattacks targeting IoT devices occurred in 2018—a 217.5% increase over 2017—and the transportation industry’s race to embrace connected technology unfortunately makes it an attractive target.
Transportation: a valuable, vulnerable target
Many traffic lights, road sensors, mass transit systems, and many more transportation systems and devices are connected to the network today. For this reason, transportation is rated by Gallagher as the third-most-vulnerable industry to cyberattack, and as partially or fully autonomous vehicles continue to hit the market, the potential consequences of an attack grow more serious.
As far back as 2015, hackers demonstrated their ability to remotely shut down a vehicle driving on the highway, using a vulnerability affecting Jeep Cherokees. In a controlled experiment, the hackers were able to remotely change the radio station, blast the air conditioner, turn on the windshield wipers, and even affect speed and steering—a terrifying prospect for a vehicle in motion. Less benevolent hackers could easily have used the same exploit caused serious injury or even death.
These hackers are not alone. In 2016 and 2017, Chinese security researchers took control of a Tesla vehicle, gaining a similar level of control to the Jeep hackers and proving that the problem is more widespread than the industry would like to admit. Electric cars represent a particularly concerning target, considering the amount of software controlling energy use and distribution required for use. Malware introduced into the energy regulation systems of a fleet of electric cars could have potentially explosive results. This, in turn, makes these vehicles a lucrative target for ransomware attacks.
Russian hackers have taken a different (but no less concerning) approach, hacking into GPS and GNSS systems to display incorrect information to drivers and operators. While a malfunctioning GPS in a car may seem like a minor inconvenience, accurate location information is essential for self-driving vehicles, and a significant disruption of location services has the potential to disable vehicles or cause serious, life-threatening accidents. The rise of 5G is cause for concern in this area, as security experts grapple with how to secure the emerging network. The ability to locate and communicate with each other is essential for self-driving vehicles, and leaving the network they will use to do so unsecured leaves the door wide open for hackers to cause untold damage.
The risks are not limited to ground transportation. Pilots, too, require accurate and reliable geolocation services, and a hacked GPS could spell disaster for entire fleets of planes. It doesn’t stop there. In May of this year, researchers used commercially available radios to hack the landing system of a commercial jet, sending incorrect information to the instrument panel to make the pilot falsely believe the plane was off course. For pilots relying on their instruments for detailed and accurate information—especially in low-visibility situations—this type of exploit could spell literal doom. Imagine a pilot lining up a perfect landing, only to realize he or she is miles from where the GPS indicated the plane dips below the clouds. Air travel requires precise coordination, and this type of disruption can lead to disasters ranging from inconvenient delays to crashes, or even mid-air collisions.
Large-scale attacks have the potential to cause widespread damage
Attacks don’t have to result in loss of life to have significant and widespread economic impact, and the transportation industry is vulnerable to this sort of macro-scale attack. One such incursion has already proven capable of grinding global corporations to a halt, costing millions—if not billions—of dollars in damages. In 2016, A.P. Moller-Maersk, the world’s largest shipping company, was hit by the Petya cyberattack. The Danish company operates a fleet of 600 ships and owns roughly 16 percent market share of worldwide shipping, including 25 percent of all containers shipped on the Asia-Europe route.
The ransomware attack took down servers throughout Europe and India, affecting areas of the company including container shipping, port and boat operations, drilling services, and oil tankers. A.P. Moller-Maersk had to shut down operations at multiple ports, resulting in a loss of $200-$300 million. Petya and the related “NotPetya” attack caused billions of dollars in total damage across Europe, Asia, and the Americas. Although the attack was not directly caused by IoT systems, experts routinely cite it as the type of attack that the industry is likely to see more of as the proliferation of connected devices provides enticing new attack surfaces.
What we’re doing now, and what we should be doing in the future
The widespread vulnerability of IoT networks is a serious concern, but organizations are slowly beginning to recognize the issue and devote resources to solving it. A 2017 report by ABI Research found that roadways will account for $5 billion in cybersecurity spending by 2022, with another $3.9 billion from aviation. A Forrester report from 2018 indicated that 89% of companies viewed increasing their security and privacy capabilities as a high or moderate priority. Unfortunately, while the establishment of larger security teams more capable of responding to the massive volume of threat alerts received is a great start, it fails to address the underlying problem.
Ultimately, it is up to manufacturers, developers, and users to establish effective security protocols, such as securing an organization’s network using a trusted third-party PKI capable of authenticating large numbers of IoT devices and effectively managing their lifecycles. Certificates capable of verifying the identity of the user are an essential part of establishing a safer network. The AeroMACs ecosystem already uses public key infrastructure (PKI) certificates as a part of the security process, requiring them on every connected device—making this a global aviation standard. For car manufacturers and others in the transportation industry, this represents a strong example to follow.
IoT devices must be hardened against cyberattacks. They must include “secure boot” to validate firmware is authentic, secure key storage to protect private keys, and encrypt sensitive data stored on the device. Communication gateways, including gateway electronic control units (ECUs) in automobiles require a built-in firewall to protect against network-based attacks.
Researchers at TM Forum have stated that there is no “endgame” for protecting connected devices. Instead, organizations must continue to adapt their business models, market expectations, and technical capabilities as their circumstances change. Managing software updates, patching vulnerabilities, and adhering to established security procedures such as changing default passwords and strictly managing access control are essential parts of the solution.
But bigger strides are needed. It’s great news that some forward-thinking organizations are taking the issue of vulnerable IoT networks seriously, but throwing money at the problem is not enough. Manufacturers, developers, and users alike must be prepared to do their part to build and use effective security solutions. By working together to establish stronger industry standards, we can build a safer today and tomorrow.
Damon Kachur serves as VP of IoT for Sectigo,