Cybersecurity Experts: Autonomous Trucks Are Ripe for Hacking, Ransom

As vehicles of all kinds transform into computers on wheels, cybersecurity is becoming more of an issue. And trucks are an especially attractive target, experts believe.

“More harm can be done with trucks than cars,” said Jeffrey Carr, a consultant and founder of the Suits and Spooks cybersecurity conference series.

Autonomous trucks are expected to become a ripe target.

As trucks take on more self-driving features, such as traveling in platoons of tight digitally tethered trucks to draft off a lead vehicle and save fuel, goods can be delivered more quickly, safely and efficiently, analysts say.

Self-driving features, for example, offer the potential for drivers to be able to rest while the truck is driving on highways, taking over just for first- and last-mile functions, extending the number of daily hours they can operate the vehicle.

But autonomous trucking also comes with risks.

“If you move to autonomous navigation systems or even just the usual driver-controlled navigation systems, they’re all vulnerable to attack,” Carr said.

So-called GPS spoofing has already successfully misdirected aircraft and boats, including an $80-million yacht. In 2013, University of Texas-Austin researchers successfully took over the yacht’s GPS and changed its course. Such spoofs could easily be done to trucks as well, Carr said.

Once a truck target has been identified, a hacker can identify which GPS satellites are used to guide its navigation. This can be hijacked by creating his own transmitter and codes to mimic the ones sent by that satellite, then gradually increasing the frequency of the signals from that transmitter.

“You can fool the receiver in the vehicle to lock onto the fake codes instead of the authentic GPS codes and reprogram the mapping coordinates for where the vehicle is headed,” Carr said.

The cost to hack a GPS system is about $10,000, Carr said. “They won’t waste that on an individual vehicle. It has to be a high-value target. Giant rigs moving down the highway under the control of computerized navigation systems utilizing GPS — you have a high-value target.”

Part of what makes trucks more vulnerable to cyberattacks than cars is that they all use the same protocol, said Monique Lance, with Argus Cyber Security, based in Tel Aviv, Israel.

“There’s a common communications standard in trucks called J 1939 that makes it possible to craft one attack that fits all,” Lance said. “An attack that accesses one truck will potentially access most trucks.”

Argus Cyber Security has been working with all the major U.S., German and Japanese automakers on cybersecurity systems for the last four years. It started working with truck manufacturers only a year ago, Lance said. But the strategies to prevent cyberattacks for both vehicle types are the same.

Argus advocates a three-pronged approach that begins with prevention — by designing cybersecurity into trucks from the concept stage. Transportation companies need to be proactive rather than reactive, she said. But if a hack does occur, the system needs to be able to understand it’s been compromised and respond as quickly as possible.

Accessing the truck is just the first step, Lance added. The hacker then has to create the damage. But that damage has the potential to be severe.

Trucks account for about $700 billion in freight revenue annually, according to the American Trucking Associations. That represents about 80 percent of the nation’s freight bill.

“Because trucks are depended upon to transport goods and services, if you hold a fleet of trucks for ransom, you’re more inclined to get a quick payment because those organizations can’t afford to have their trucks stalled for a day or two,” Lance said. “The costs of not getting those goods delivered is very high.”

The most likely forms of cyberattack on trucking are stealing freight or holding it for ransom, but terrorism is also a possibility.

“Nobody’s interested in one car unless it’s carrying an executive or an official, but a truck? You could hurt a lot of people. We already know trucks have become a preferred method of delivering attacks,” Carr said.

Over the last year, there have been multiple terrorist attacks using trucks — in France, England and the U.S. Driven by humans, they’ve caused plenty of damage simply by driving through groups of pedestrians.

Once trucks are automated, even more harm could be done, Carr said.

“Cybersecurity is definitely an issue to be developed and implemented as quickly as possible,” said Jeremy Carlson, an analyst at IHS Markit.

The same cybersecurity issues with cars also apply to trucks, he said. “Fortunately, there haven’t been any hugely disastrous headlines that have come out, but we certainly understand the cost of not having cybersecurity.”

Carlson points to the infamous hack from July 2015 when white-hat hackers Charlie Miller and Chris Valasek took remote control of a 2014 Jeep Cherokee’s digital systems over the Internet while a reporter from Wired magazine was driving. That hack resulted in Jeep recalling 1.4 million vehicles at a cost of about $140 million, Carlson said.

“It certainly represents a better financial investment to do something before the fact rather than as a reaction,” Carlson said.

Hacking vehicles is “still white-hat hackers doing this to improve security rather than anything outright malicious,” he added. “That’s good for the industry to help address these challenges, but with the attention on the white-hat side, there’s growing awareness among people looking to do something malicious.”

Read Next: ATA Plans Vehicle Cybersecurity Threat Reporting Service