Telematics device security
With increased cybercrime and the frequency of security hacks becoming more common, just how secure is your remote asset (or vehicle) when fitted with a tracking or IoT (internet of things) device?
In this blog we don’t want to give away any secrets for the uninitiated but more give an overview of some areas where the safety of your devices could be improved, with security measures offered by the devices or SIMs being increased or implemented.
We can look at the system in three elements, device, SIM and application. In this case we’re just looking at the device and SIM, the application server security is better explored by talking to your IT department or your application developers.
- Keep the device firmware up to date. Manufacturers produce regular firmware updates, and these may well include some enhanced security measures as the IoT market evolves and security becomes more of an issue. Ensure you have the ability to update your devices OTA (over-the-air) and keep device firmware up to date.
- Update configurations to add security features as they become available. As the firmware updates occur, and enhanced security is available ensure that you have the ability to roll this out to your inventory of devices.
- Use password protection for any changes, communication or remote access, passwords can be set for SMS and/or port communications and without the password included, connection requests and/or commands are ignored. Ensure you use the full available character set available and make as unique as possible (devices have differing criteria for password structure so be sure to check).
- Implement “friends” list of numbers and servers that the device will accept, ignoring all others, but remember to ensure that these numbers remain in your control.
- Not all devices are created equal, so make sure that the device chosen offers the best security for you needs (contact us for best advice).
- Ensure lists of IMEI, SIM numbers and any passwords are kept secure and on a ‘need to know’ basis, the fewer people who have access the better – including the use of cloud-based storage to hold these files.
- Discuss with you Network partner of MVNO to see what security measures can be added e.g. Closed Group SIMs and/or Private APN
In real terms what are the risks? Not high, the nature of devices is that they’re only passing data from the telematics device itself and not directly connected to the vehicle control or ECU (albeit there is starting to be more of this type and, of course, connected cars).
We were recently asked to evaluate the security risk on an asset monitoring device, basically a ping a day with location and device ID, the reality in this case was that the security of the device was in the fact that:
- Not a permanent connection – to save power the unit went into sleep mode between the 2 mins or so a day it was awake.
- There’s a password set
- The SIM was a private APN and closed group
- The data had no commercial value
However, many vehicle tracking device have a persistent connection, talking to a server application with turn by turn information and in some cases, data from the vehicle itself. This, in itself is less secure and potentially more valuable to an outside ‘intruder’. However, setting some basic security in place will better protect the connection, data and vehicle or asset.
Some basic good housekeeping, as pointed out above, latest firmware, latest configuration, password implemented, ‘friend’ lists implemented, and available SIM security should secure your solution.
A question we’ve asked of several in the security market “what would a potential hacker or cybercriminal have to gain?” and the general answer is “nothing, it’s just because they can”, so regardless how important or critical your data is to you, the value is unimportant to them, it’s more the disruption that could be caused by any outside interference in your solution.