While there may not be anything “new” in this video – Charles and his pal Chris performed the remote hack mentioned in the video quite a while ago, and as he notes, once Chrysler was made aware of it the company promptly resolved that particular vulnerability on their particular vehicles – the level of control a hacker can assume over a vehicle is a rapidly expanding risk for professional Security Drivers, Solo Practitioners and other protection professionals.
Given the reliance on technology in modern vehicles, the growing demand for more “connectivity” (particularly in the luxury car market), and the adaptive nature of those capable of such attacks, the secure transportation provider must recognize that this is a rapidly evolving and expanding threat. Unfortunately, while awareness of those risks posed by technologically advanced, interconnected networks and systems in vehicles is increasing within both the secure transportation and executive protection communities, at this point, there are currently few, if any, truly effective risk management or risk mitigation strategies available.
This reality dictates that if remote vehicle hacking is considered a viable risk to the Principal, IF being the operative word, the Security Driver or protection practitioner must pay particular attention to planning for a response to such an attack. Keeping in mind that the remote hack discussed in the video, and the specific techniques it involved, is just one of several known successful remote hacks, somethings to consider in terms of contingency planning for the threat of someone remotely taking control of a vehicle’s critical control systems include:
– Installing a discrete master power “kill” switch in reach of the driver.
If you interrupt the power supply between the battery and the operating components of the vehicle you will be able to interrupt the hack, just know that the vehicle will not be driveable. It should be considered that once the power is interrupted you will have to abandon the vehicle IMMEDIATELY, as the operating assumption at that point should be that the hacker know’s exactly where the vehicle is.
– Install a discrete switch to kill power to the vehicle’s electric fuel pump, again within reach of the driver
By interrupting power to the engine’s fuel supply, the engine will stop running. This preserves power to other systems for the driver, but may also allow the hacker to control certain systems that still pose an increased risk to the Principal, such as power windows, power door locks and the vehicle’s Bluetooth microphone (allowing an attacker to listen in on what is said in the vehicle)
– Route Planning, Route Planning…Route Planning
While technology has impacted this essential element of protection planning – and not necessarily in a positive way, as today’s practitioner may over rely on technology such as GPS mapping and third party apps that may increase vulnerability to remote tracking – from a contingency planning perspective route planning takes on added importance if, as always IF being the operative word, the Principal is a viable target of an adversary with the capability and capacity to hack their vehicle or vehicles of choice.
In those circumstances, perhaps the most critical aspect of route planning becomes identifying safe havens…lots and lots of them…followed closely, of course, by selecting routes which place the vehicle in close proximity to as many safe havens as possible. As part of the process of planning contingencies in response to a remote hack that disables, or forces the driver to disable the vehicle, out of necessity the route planning process should identify viable foot routes to those safe havens as well.
Should your risk assessment process identify vehicle hacking as a high probability threat, and your vulnerability to such attacks as high based on the Principal’s choice of vehicles (and the technology in it), then one should consider utilizing a different vehicle, one not readily linked to the Principal, to survey (or “run”) the routes. This minimizes the potential that a hacker will have access to information about the routes being surveyed.
While none of these are particularly attractive options, given the absence of reliable strategies, processes and tools to effectively manage and/or mitigate the potential risk of remote vehicle hacking if – once again, the operative word being IF – your Principal’s exposure to such risks is high, than planning for these less-than-attractive contingencies is part and parcel of your responsibilities as a professional Security Driver or protection practitioner.
Leave a Reply