The Car and Truck Fleet and Leasing Management Magazine

Market Trends

Can Fleet Vehicles be Hacked?

May 27, 2010, by Mike Antich - Also by this author

By Mike Antich

Fleet managers may worry about vehicles being stolen, but few have given much thought to having them hacked electronically. Most people don't realize a typical fleet vehicle contains 70-100 megabytes of binary code in 50-70 onboard microprocessors, and the amount of internal software code promises to grow in the future. A new study shows automotive software is as vulnerable to malicious hackers as the average PC. The report entitled, "Experimental Security Analysis of a Modern Automobile," was presented in May at the 2010 IEEE Symposium on Security and Privacy by a team from the University of Washington and the University of California, San Diego.

The research paper demonstrated how a sophisticated hacker could wreak havoc on a vehicle by manipulating the in-vehicle computer network or remotely accessing it via its wireless connectivity to the Web. The 11-person research team pointed out all new cars are "pervasively computerized" and control a wide array of components, including the engine, brakes, heating and cooling, lights, instrument panel, radio, and locks.

The researchers tested two 2009-model-year cars, whose make and model were not identified. They were able to connect a laptop to a standard onboard diagnostic computer port, which allowed them to control the car's computer wirelessly using a second laptop in a separate car. The team didn't identify the test cars because they did not want to single out a particular automaker. However, both vehicles had the controller area network (CAN) system, required as a diagnostic tool on all U.S. cars built since 2008. The team wrote a software utility program allowing them to listen to CAN traffic and insert their own network instructions. The paper demonstrated the ease in which a sophisticated attacker could control a wide range of automotive functions and completely bypass driver input. For example, by accessing the various electronic control modules (ECM) or engine control module, the researchers were able to manipulate the fuel level gauge, falsify the speedometer reading, display arbitrary dashboard messages, dial-up the heat or A/C, lock passengers in the car, continuously blare the horn, pop the trunk, turn off the lights, activate the windshield wipers, disable the brakes, selectively brake individual wheels on demand, and stop the engine. In addition, after deploying these malicious software commands, the team successfully erased any evidence of their tampering.

The research paper suggests two attack scenarios. Either by physical access gained by a mechanic, or even a spiteful significant other, who wishes to monitor and manipulate the vehicle's controls remotely over the Internet. Or, in the second attack scenario, someone hacking into one of the wireless networks found inside a vehicle. I would like to postulate another possible attack scenarios by a disgruntled computer-savvy employee, out to extract revenge on the company for a perceived wrong. Another possible attack could be directed at company officers by maliciously hacking into their executive fleet vehicles.

If you consider this far-fetched, consider the implications of what happened recently in Austin, Texas. Last February, more than 100 drivers in Austin had their vehicles immobilized or their horns blared uncontrollably after a disgruntled employee at a dealership hacked a system used to warn customers when they are behind on their auto repayment plans.

No Longer Just Mechanical Devices

The PCs in the early 1990s had latent software vulnerabilities. This wasn't an issue at the time because PCs did not have connectivity to other computers, outside of a local area network. However, when they became connected to the Internet, these latent vulnerabilities were exposed to outside attack. Vehicle technology is moving in the same direction, with a strong trend to provide Internet connectivity. Cars were strictly mechanical devices, but now we're seeing more and more electronics and connectivity, which means increased potential risk. The researchers wanted to point out the potential security risks if someone gained access to a vehicle's internal computer network. They did not want to take an alarmist tone, but simply show that it is possible. In the end, the software in a fleet vehicle is not fundamentally different from software on a PC, it's all binary code. The researchers advocate "hardening" these onboard systems and providing malware defenses before car hacking becomes a real problem. It's important to stress that no remote car hacking attacks have ever been recorded, and experiments designed to load malware into car systems using Bluetooth have been unsuccessful.

Hacking a car isn't easy. A would-be criminal would need advanced computer skills and access to the vehicle's on-board electronic and engine control modules to launch an attack. Fleet managers shouldn't be worried, at least not for now. However, in five to 10 years from now, all bets are off.

Let me know what you think.



  1. 1. David Barker [ June 07, 2010 @ 10:59AM ]

    Mike this is a very informative article as to enlighten us to the possibilities of mischief that can strike our fleets. Thanks for getting this info out, and as things change in the future please feel free to pass this on to me. Is there any safeguards that can be put in place to thwart these intrusions to the vehicle? Again thanks for the article.

  2. 2. Don [ June 14, 2010 @ 01:00PM ]

    Interesting article, I guess the message here is not to tick off an computer savoy mechanic, our your brakes may fail when you least expect it.

  3. 3. Judson Graham [ July 20, 2010 @ 08:37AM ]

    Really enjoyed the article about hacking fleet vehicles. Imagine the damage that could be done if someone got into one of the systems that “auto-parallel parks” vehicles. Just thought I’d pass along the compliments on the interesting article!

Comment On This Story

Email: (Email will not be displayed.)  

Comment: (Maximum 10000 characters)  
Leave this field empty:
* Please note that comments may be moderated.

Fleet Incentives

Determine the actual cost of owning and running a vehicle in your fleet. Compare vehicles by class and model.

Sponsored by

Texting has become an issue in the fleet industry due to the fact that doing while driving can lead to collisions. This activity represents potential liability for private- and public-sector organizations with fleets.

Read more

Author Bio

Mike Antich

Editor and Associate Publisher

Mike has covered fleet management and remarketing for more than 20 years and entered the Fleet Hall of Fame in 2010.

» More

More From The World's Largest Fleet Publisher