Emerging Cyber Risk

Out of Control in the Driver’s Seat

Security researchers provide haunting proof of how vulnerable our high-tech vehicles really are.
By: | April 20, 2016 • 5 min read
car hacking

You’re tooling down the highway when suddenly your car’s A/C turns on to full blast. Then the radio fires up and switches to a Hip-Hop station.

You’re startled when the wipers turn on, wiper fluid obscuring your view of the road for a moment.

Advertisement




You’re frantically trying to turn it all off when your car loses power completely, leaving you stranded on a busy stretch of road with no shoulder, a semi closing in fast from behind you.

That sounds a little a scene from a spy thriller or maybe even the “X-Files,” but it happened to the driver of a 2014 Jeep Cherokee as researchers Charlie Miller and Chris Valasek hacked into and took control of it.

The duo found a way to hack in wirelessly, exploiting a widely used onboard entertainment system to take over a vehicle’s dashboard functions, brakes, steering and transmission.

Miller and Valasek first made headlines in 2013, when they publicized their success hacking into Ford and Toyota models. At that time, they only managed to accomplish the attacks while their PC was plugged into the vehicles’ diagnostic ports.

Only two years later, the duo found a way to hack in wirelessly, exploiting a widely used onboard entertainment system to take over a vehicle’s dashboard functions, brakes, steering and transmission.

They found they could do it from absolutely anywhere, so long as they had an internet connection. Most disturbing of all, they identified a loophole that could be used to attack multiple cars at once — creating a wirelessly controlled automotive botnet encompassing hundreds of thousands of vehicles.

The team published part of the project online and later demonstrated their “progress” at the 2015 Black Hat conference.

Without question, the more technologically sophisticated and connected vehicles become, the more vulnerable they get.

After Miller and Valasek published their results, Fiat Chrysler issued a recall for 1.4 million vehicles affected by the vulnerability exploited by the team. The automotive industry has been on high alert ever since, even while they simultaneously boast about models equipped with more and better technology.

Without question, the more technologically sophisticated and connected vehicles become, the more vulnerable they get. The push toward autonomous vehicles will only increase those vulnerabilities.

“We are a long way from securing the non-autonomous vehicles, let alone the autonomous ones,” said Stefan Savage, a computer science professor at the University of California, San Diego, during an Enigma security conference early this year.

Autonomous isn’t necessarily synonymous with “connected,” however, even for early entrants to the commercial autonomous vehicle space.

Advertisement




Daimler’s Freightliner Inspiration, the world’s first road-ready self-driving truck, “doesn’t rely on ‘connectivity’ or wireless communication to/from the outside world to drive itself,” said Dan Holden, manager of corporate risk and insurance for Daimler Trucks North America.

“Rather, the system is self-contained, meaning it uses production cameras and radars as inputs to determine the vehicle position and keep it centered in its lane.  Therefore the Inspiration truck is as secure from a cyber perspective as production vehicles today.”

More Frightening Than Fiction

Until cyber vulnerabilities can be addressed, it doesn’t take a broad stretch of the imagination to see what the future implications could be for this type of attack. Consider a few scenarios:

  • The vehicle of a courier transporting sensitive documents is disabled in a remote location, where armed thieves are waiting to steal the documents.
  • A high-level executive receives a message alerting him that ransomers have control of his teen daughter’s car — with her in it — and will drive it off of a bridge if he doesn’t pay $10 million in Bitcoin.
  • A ring of thieves finds a way into the systems of a trucking fleet’s rigs through its onboard camera system, enabling it to stop the trucks remotely so teams can hijack the cargo.
  • An extreme hactivist group decides to “brick” every car in Los Angeles, disrupting businesses and lives until its demands are met.
  • An attacker hacking into a commercial truck’s system disables the brakes, sending the truck careening into a school bus in the middle of an intersection.

Keep in mind that even less extreme types of hacking could create vulnerabilities for both individuals and businesses.

Miller and Valasek proved their ability to wirelessly hack a vehicle for surveillance, tracking GPS coordinates, measuring speed, and tracing routes. When a vehicle’s onboard systems are connected to the driver’s smartphone, the smartphone is also at risk for attack, and any data stored in it is fair game, including passwords and credit card information.

Government and Industry Respond

Miller and Valasek’s work is part of what inspired the drafting of an automotive security bill introduced last year. The Security and Privacy In Your Car Act (the SPY Car Act) would require cars sold in the U.S. to meet certain standards of protection against digital attacks and privacy.

The bill’s creators surveyed 20 carmakers and discovered that only seven used independent security testing to check their vehicles’ security, and only two had tools in place to stop a hacker intrusion.

Several Japanese companies are working on automotive cyber security technology.

In March, the FBI, along with the Department of Transportation and the National Highway Traffic and Safety Administration, published an advisory on the realities of hackable vehicles and making recommendations to increase security.

Several Japanese companies are working on automotive cyber security technology. Panasonic is developing a device that can detect unauthorized network signals and cancel them out. Fujitsu Laboratories and a researcher from Yokohama National University are developing technology that detect an attack, notify the driver, and encrypt signals to allow the vehicle to be stopped safely.

However these technologies are still five years away from commercial availability, as are fully encrypted next-generation automotive networks.

Advertisement




Transportation companies, their clients and every organization with a fleet of its own should be asking questions about the security of the vehicles that are used in the course of their daily operations — and whether they have cover that will respond if their vehicles fall prey to cyber tampering.

“Having insurance coverage in place that would address bodily injury and property damage is something companies should seriously consider as this risk matures,” said William A. Boeck, senior vice president. and insurance and claims counsel for Lockton’s cyber risk practice.

Michelle Kerr is associate editor of Risk & Insurance. She can be reached at [email protected]
Share this article:

Risk Insider: Jack Hampton

Cyber Security: We’re Blind, Please Help

By: | April 18, 2016 • 2 min read
Jack Hampton is a Professor of Business at St. Peter’s University in New Jersey and a former Executive Director of the Risk and Insurance Management Society (RIMS). He was named a Risk Innovator in 2008 by Risk and Insurance®. He can be reached at [email protected]

A popular video shows a blind man sitting on the ground in a plaza hoping to receive money from those who pass by. His cardboard sign says simply, “I’m blind. Please help.” A few individuals drop money into a cup.

A young woman stops and changes the man’s sign. Suddenly many more individuals give money to the man.

The woman returns and the blind man asks, “What did you do to my sign?”

Her answer is, “I wrote the same but different words.” The changed sign read, “It’s a beautiful day and I can’t see it.”

With the Darknet and throwaway cell phones, terrorists do not need iPhones. Apple versus the FBI is not only about privacy or terrorism. It is about further destabilizing an already vulnerable world of communications.

In our cyber security discussions, we often use the wrong words. This happened in the recent public debate when the FBI demanded an Apple iPhone backdoor to allow law enforcement to track communications among terrorists. In a TV broadcast, “60 Minutes” framed the argument as stopping terrorism versus protecting privacy.

Tim Cook (Apple CEO) and John McAfee (anti-virus guru) argued that law enforcement and the media were missing the point. If Apple complied, terrorists would immediately change tactics.

With the Darknet and throwaway cell phones, terrorists do not need iPhones. Apple versus the FBI is not only about privacy or terrorism. It is about further destabilizing an already vulnerable world of communications.

Advertisement




In an earlier Risk Insider post, I argued that there were negative consequences to consider should Apple’s “wiper” function be disabled.

The standoff between Apple and the FBI temporarily resolved itself. The FBI cracked the iPhone and withdrew the request to Apple.

In this scenario, we not only used the wrong words…we asked the wrong question. How then can we get the right answer?

Maybe we should ask, “Can Apple help us install a wiper on every computing device and network?” Ten hacker attempts and all the data is erased. We would learn to back up our data real quick.

The feature could help with privacy. Would it have anything to do with criminal behavior? Maybe yes. Maybe no.

Separately, we may be missing the big picture. When Samuel Morse and others developed the telegraph, communications were instantaneously transmitted around the world by wire. Anywhere along a railroad line, hackers could intercept the message. This is the public Internet of 2016.

Is the right question, “What should we do to fix a 21st Century communications system built upon a 19th century telecommunications model?”

Cyber security efforts should not stop with, “I’m blind. Please help.” The words should stir us to action.

We can hope the best and brightest of our cyber security folks help us see a beautiful day by devising a secure Internet that does not impede law and enforcement.

Share this article:

Sponsored: Liberty Mutual Insurance

Commercial Auto Warning: Emerging Frequency and Severity Trends Threaten Policyholders

Commercial auto policyholders should consider utilizing a consultative approach and tools to better manage their transportation exposures.
By: | June 1, 2016 • 6 min read

The slow but steady climb out of the Great Recession means businesses can finally transition out of survival mode and set their sights on growth and expansion.

The construction, retail and energy sectors in particular are enjoying an influx of business — but getting back on their feet doesn’t come free of challenges.

Increasingly, expensive commercial auto losses hamper the upward trend. From 2012 to 2015, auto loss costs increased a cumulative 20 percent, according to the Insurance Services Office.

“Since the recession ended, commercial auto losses have challenged businesses trying to grow,” said David Blessing, SVP and Chief Underwriting Officer for National Insurance Casualty at Liberty Mutual Insurance. “As the economy improves and businesses expand, it means there are more vehicles on the road covering more miles. That is pushing up the frequency of auto accidents.”

For companies with transportation exposure, costly auto losses can hinder continued growth. Buyers who partner closely with their insurance brokers and carriers to understand these risks – and the consultative support and tools available to manage them – are better positioned to protect their employees, fleets, and businesses.

Liberty Mutual’s David Blessing discusses key challenges in the commercial auto market.

LM_SponsoredContent“Since the recession ended, commercial auto losses have challenged businesses trying to grow. As the economy improves and businesses expand, it means there are more vehicles on the road covering more miles. That is pushing up the frequency of auto accidents.”
–David Blessing, SVP and Chief Underwriting Officer for National Insurance Casualty, Liberty Mutual Insurance

More Accidents, More Dollars

Rising claims costs typically stem from either increased frequency or severity — but in the case of commercial auto, it’s both. This presents risk managers with the unique challenge of blunting a double-edged sword.

Cumulative miles driven in February, 2016, were up 5.6 percent compared to February, 2015, Blessing said. Unfortunately, inexperienced drivers are at the helm for a good portion of those miles.

A severe shortage of experienced commercial drivers — nearing 50,000 by the end of 2015, according to the American Trucking Association — means a limited pool to choose from. Drivers completing unfamiliar routes or lacking practice behind the wheel translate into more accidents, but companies facing intense competition for experienced drivers with good driving records may be tempted to let risk management best practices slip, like proper driver screening and training.

Distracted driving, whether it’s as a result of using a phone, eating, or reading directions, is another factor contributing to the number of accidents on the road. Recent findings from the National Safety Council indicate that as much as 27% of crashes involved drivers talking or texting on cell phones.

The factors driving increased frequency in the commercial auto market.

In addition to increased frequency, a variety of other factors are driving up claim severity, resulting in higher payments for both bodily injury and property damage.

Treating those injured in a commercial auto accident is more expensive than ever as medical costs rise at a faster rate than the overall Consumer Price Index.

“Medical inflation continues to go up by about three percent, whereas the core CPI is closer to two percent,” Blessing said.

Changing physical medicine fee schedules in some states also drive up commercial auto claim costs. California, for example, increased the cost of physical medicine by 38 percent over the past two years and will increase it by a total of 64 percent by the end of 2017.

And then there is the cost of repairing and replacing damaged vehicles.

“There are a lot of new vehicles on the road, and those cost more to repair and replace,” Blessing said. “In the last few years, heavy truck sales have increased at double digit rates — 15 percent in 2014, followed by an additional 11 percent in 2015.”

The impact is seen in the industry-wide combined ratio for commercial auto coverage, which per Conning, increased from 103 in 2014 to 105 for 2015, and is forecast to grow to nearly 110 by 2018.

None of these trends show signs of slowing or reversing, especially as the advent of driverless technology introduces its own risks and makes new vehicles all the more valuable. Now is the time to reign in auto exposure, before the cost of claims balloons even further.

The factors driving up commercial auto claims severity.

Data Opens Window to Driver Behavior

To better manage the total cost of commercial auto insurance, Blessing believes risk management should focus on the driver, not just the vehicle. In this journey, fleet telematics data plays a key role, unlocking insight on the driver behavior that contributes to accidents.

“Roughly half of large fleets have telematics built into their trucks,” Blessing said. “Traditionally, they are used to improve business performance by managing maintenance and routing to better control fuel costs. But we see opportunity there to improve driver performance, and so do risk managers.”

Liberty Mutual’s Managing Vital Driver Performance tool helps clients parse through data provided by telematics vendors and apply it toward cultivating safer driving habits.

“Risk managers can get overwhelmed with all of the data coming out of telematics. They may not know how to set the right parameters, or they get too many alerts from the provider,” Blessing said.

“We can help take that data and turn it into a concrete plan of action the customer can use to build a better risk management program by monitoring driver behavior, identifying the root causes of poor driving performance and developing training and other approaches to improve performance.”

Actions risk managers can take to better manage commercial auto frequency and severity trends.

Rather than focusing on the vehicle, the Managing Vital Driver Performance tool focuses on the driver, looking for indicators of aggressive driving that may lead to accidents, such as speeding, sharp turns and hard or sudden braking.

The tool helps a risk manager see if drivers consistently exhibit any of these behaviors, and take actions to improve driving performance before an accident happens. Liberty’s risk control consultants can also interview drivers to drill deeper into the data and find out what causes those behaviors in the first place.

Sometimes patterns of unsafe driving reveal issues at the management level.

“Our behavior-based program is also for supervisors and managers, not just drivers,” Blessing said. “This is where we help them set the tone and expectations with their drivers.”

For example, if data analysis and interviews reveal that fatigue factors into poor driving performance, management can identify ways to address that fatigue, including changing assigned work levels and requirements.  Are drivers expected to make too many deliveries in a single shift, or are they required to interact with dispatch while driving?

“Management support of safety is so important, and work levels and expectations should be realistic,” Blessing said.

A Consultative Approach

In addition to its Managing Vital Driver Performance tool, Liberty’s team of risk control consultants helps commercial auto policyholders establish screening criteria for new drivers, creating a “driver scorecard” to reflect a potential new hire’s driving record, any Motor Vehicle Reports, years of experience, and familiarity with the type of vehicle that a company uses.

“Our whole approach is consultative,” Blessing said. “We probe and listen and try to understand a client’s strengths and challenges, and then make recommendations to help them establish the best practices they need.”

“With our approach and tools, we do something no one else in the industry does, which is perform the root cause analysis to help prevent accidents, better protecting a commercial auto policyholder’s employees and bottom line.”

To learn more, visit https://business.libertymutualgroup.com/business-insurance/coverages/commercial-auto-insurance-policy.

SponsoredContent

BrandStudioLogo

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Liberty Mutual Insurance. The editorial staff of Risk & Insurance had no role in its preparation.


Advertisement





Liberty Mutual Insurance offers a wide range of insurance products and services, including general liability, property, commercial automobile, excess casualty, workers compensation and group benefits.
Share this article: