Cars and Security Management: 4 Priorities

A report released earlier this month revealed that the MiCODUS MV720, a popular in-vehicle GPS tracking system, contains six vulnerabilities that could compromise over 1.5 million vehicles in 169 countries. The vulnerabilities could allow hackers to use the GPS trackers to collect sensitive information, manipulate data, track or even immobilize a vehicle. 

What does this mean for companies relying on similar vehicle GPS trackers? How can they increase security and manage vulnerability without compromising their assets?

Here are some thoughts from Debrup Ghosh, senior product manager of Synopsys Software Integrity Group, on security and vulnerability management:

1. Security needs to be part of the larger architectural design

Software development frequently overlooks security, so analysis and threat assessment should be used to identify potential threats. For developers, it is essential to design software and hardware that instill safe coding practices, including offering backups in the event of errors, preventing shutdowns if possible (especially when a vehicle is moving), and designing in ways that keep drivers — and other vehicles on the road — safe.

2. Telematics devices provide the most common attack vector for the vehicle, as they can be remotely accessed

Security is a significant challenge with the controller area network (CAN) bus, as any device on the bus can send messages to any recipient. Since many trucks today use CAN buses, filtering out unexpected signals as part of the design should be a key component to consider. This limits access to the CAN bus and whitelists messages specific ports can receive.

3. Vulnerability management means responding appropriately, quickly, and efficiently to incidents, vulnerabilities, and exploits

Organizations must implement secure over-the-air (SOTA) updates to quickly patch security vulnerabilities without opening additional attack vectors while loading updates and configuration data packets from the internet. Both trucking companies and GPS/fleet management vendors must take a proactive approach toward cyber security.

4. Penetration testing is always necessary

Penetration testing should be performed after architectural analysis and threat modeling to discover vulnerabilities that may be introduced into production systems due to those earlier analyses. These tests allow cyber security experts to detect vulnerabilities and assess the overall strength of an organization’s defense by simulating the actions of an attacker.

Conclusion

The security of any system is directly related to the complexity of its architecture. Complex systems with many different devices, apps, and software components need more sophisticated architectural design. Vulnerability management varies in complexity with different architectures, but it always has to be simple so as not to clutter the communication and workflow of security assessment, analysis, and remediation.