Fleet control gone wrong

Nowadays, pretty much every item in a household or a company may come in a “smart” or “connected” format. There are many advantages to being connected, but it also comes with risks.

Cars are no exception to this trend and represent an increasing attack surface. With hackers ready to exploit any vulnerability within the software, hardware and communication systems, cyber security must be a priority. 

In this case, we are looking into the usage of a connected device plugged into vehicles. This device enables organisations to gain insights into the usage of company cars providing GPS tracking. It also allows garages to remotely diagnose issues, track vehicles containing sensitive material such as explosives, or track stolen vehicles. However, without the right security measures in place, hackers could locate, track and take remote control of vehicles with devastating consequences. 

You may have seen a movie where a truck full of explosives is hijacked remotely and driven towards a target, and thought it was impossible. Think again.

Taking control of 50,000 vehicles over SMS

We were recently approached by a fleet management company to test the security of a dongle that was installed in 50,000 vehicles. The purpose of the dongle is to track the location of vehicles to allow companies to get better insights on their professional usage of the vehicles with the goal of reducing the overall ecological footprint.

Our investigation revealed that our client was buying the dongle from a manufacturer that was selling the dongle to numerous parties and had the schematic of the motherboard and the user manual published on the Internet. Using the information contained in those documents, we easily identified and connected to the management interface of one of the device. The user manual also indicated the existence of a remote management process allowing technicians to control and debug the dongle in case of issues.

Not wanting to put people and actual vehicles at risk, we connected an external power supply to the dongle and simulated data provided by the car. We connected onto the management interface that was protected using a default password documented in the user manual, and after looking into the device configuration, we noticed that the device management was performed using SMS. However, access was restricted to a select set of German phone numbers. We also discovered that the devices were assigned sequential phone numbers by the telecom provider making it trivial for an attacker to launch a targeted attack. 

We partnered with a company that enabled us to spoof a German phone number from the list and sent our text message. A minute later, we received a reply from the dongle confirming that we had gained administrative access. We had gained the ability locate every dongle and take full control of the cars that they were plugged into. Using this technique, we could have remotely instructed cars to perform actions such as accelerate to the maximum speed, apply the brakes, turn on the turn signals, apply the windscreen wipers, or turn on the radio. This made use of the direct connection between the dongle and the CAN-bus of the vehicle.

A swift response is essential

The fleet management company had left the default password, giving anyone with the password—and hacking knowledge—the ability to take control of its 50,000 vehicles, determine their location, and put the drivers and everyone on the road at risk. The phone number of each dongle could easily be identified because they were bought in bulk and thus sequential.

We worked together with our client to establish a secure method that does not use text messages to take control for administrative purposes. We also changed the default password and worked with the manufacturing company to make sure that changing the password was a requirement, which also ensures compliance with the GDPR, specifically data protection by design.

Given the serious nature of the security risk, the fleet management company and Deloitte worked together towards a full resolution of the issue within a week. 

Embedding security, the right way

This exercise provides a good example of how misconfiguration may pose a real threat to the security and privacy of individuals.

This illustrates the need for companies to integrate security testing early in the product development lifecycle and the fact that companies should not rely solely on their developers and suppliers to implement security measures. The earlier the security testing is done in the development cycle, the fewer the potential consequences and the lower the costs of fixing the issues. A secure by design approach should be the norm in product development, especially when hardware is involved as fixing the issue may involve re-engineering of the product.

Organisations that conduct a security assessment need to be aware that swift action is needed when vulnerabilities are discovered to ensure the security of the product and user base.

 Deloitte helps companies identify and resolve cyber risks. We supports our clients from the conception throughout the implementation and all the way through the project lifecycle. We work with our clients to ensure cyber security and compliance, and embedding security at the core of the project and business.