Cybersecurity & Parking
What affects 1 in 3 Americans, costs trillions of dollars annually, and is a complete mystery to most people?
Why You Should Care About Cybersecurity
There are close to 400 cyber-attacks every single minute in the US, which affect 1 in 3 Americans every single year[i]. It costs companies an average of $15.4 million annually to manage hacks against them, with total annual damage estimated at $6 trillion by 2021[ii].
The point of these stats is not to make you paranoid, but to highlight how real, common, and far reaching cybersecurity threats are. It’s also to get you to take one more step in your thought process and connect cybersecurity to your vehicle – your connected car – knowing that online threats are targeting people everywhere. It should get you thinking about how many cars there are, how big a target market that represents for hackers, and what you can do to protect yourself and your vehicle.
The Connected Car
So, what exactly IS a connected car? A connected car is any vehicle that has wireless connectivity to the Internet and/or other devices, like a satellite or an auto manufacturer or another vehicle or pedestrian. A connected car collects, sends and receives information, processes it, and actions it or alerts the driver to information that requires human action. The image below from the Future of Privacy Forum[iii] is a great visual explanation of some of the components.
What Data Does a Car Collect?
Your vehicle is a nosey piece of machinery. It collects external data on traffic, road conditions, signage, markings, weather, and lots more. It also collects a boat load of internal data on you through cameras and microphones. That data can be anything from eye movement to driving habits. The connected car also relays all information between your smart phone and the apps your car enables you to use, and you can bet it’s collecting that data too[iv].
Feeling a Little Big-Brothered?
There are a lot of questions about the volume of data that connected cars are collecting and how they’re using it. Three issues the most unique to this situation are:
Fingerprinting: When your car collects information on every single habit, twitch, reaction, and tendency, it can build a predictive model on exactly how you will behave behind the wheel. What distance from the curb you’ll park, how far in advance you’ll break, if you’re going to run a yellow light… you get the idea. It’s your unique driving profile, and it’s being built right now[v].
Access: There are more than just you and the vehicle in this relationship. The manufacturer is tracking wear and tear so it can better service your car; the insurance company is reviewing your driving to determine the cost of insuring you.
Legislation: It’s unclear if existing acts and governing bodies will regulate this niche, or if new legislation or agencies will need to be created to regulate the data collection and use.
What’s the Risk of Collecting the Data?
The main issues is that your exact location and personal information is available on the internet, can be hacked into, and used for purposes other than intended by the collector. Consider theft and hacking, two very real, very current (2018), examples of what can happen to a connected, unsecure vehicle.
Vehicle Theft: Key fobs, remote starters, and remote locking capabilities all create more points of access for a vehicle thief. The prevalence of key fobs for locking and unlocking vehicles is actually quite troubling. Car thieves can purchase the components needed to create a duplicate fob for about $35 at Home Depot – and do it all from a nearby location so you never even see them. This CBC Marketplace video shows just how easy it is to mirror a key fob and steal a car in a matter of seconds[vi].
Infection: Another risk is that your vehicle is infected with a virus. It can transfer the virus as it talks to other cars and IoT connected devices. A tainted vehicle could disrupt traffic lights[vii], send push messaging to cellphones on the network, disrupt emergency services communication, and much more. And of course, if an infected vehicle transferred the virus to your network, it could poison your entire online parking management platform if it goes far enough.
Car Hacking: Think hacking a car while it’s in motion is a future-you problem? The original brainchildren behind hacking vehicles, Charlie Miller and Chris Valasek, show you just how easy it is, complete with a reporter in the car driving at highway speeds while they do it[viii]. In summary, there are a lot of entry points into a vehicle’s system, including the telematics system, remote door locks, apps, key fobs, etc.[ix] and each of these are a vulnerability (see diagram below for entry points).
What Kinds of Hacking You and Your Vehicle Should Worry About
As discussed, anything and everything that’s part of the IoT is at risk for hacking and other cybersecurity breaches. Below are a few of the things that you should always have in the back of your mind.
Phone and app hacking: There are dozens of free apps and online tools that allow a user to breach any given cell phone. These apps give access to text messages (which might contain password reset links, verification codes, etc.), access to install new apps or viruses, access to web browsing history, access to social media accounts, and access to all personal information and passwords saved or stored on the device.
Credit card hacking: You’ve likely heard about some of the bigger credit card breaches/thefts, including Home Depot, Target, and Uber. It’s incredibly easy to steal credit card information – mainly the CCV code – by using multiple sites to attempt online purchases until one purchase goes through[x]. The hacker then has the credit card info and can make unlimited online purchases until detected.
It’s also easy to install a card skimmer on a parking pay terminal. Swiping your card at a machine that has been tampered with gives instant access to your information and makes you a likely victim of fraud. With connected cars and IoT connected pay machines, you may not even need to have the card present to pay for your parking. That means data is transmitted wirelessly, and provides the opportunity to be compromised.
How Does This All Relate to Parking?
Eventually what this boils down to is that cybersecurity impacts the parking industry both directly (through hacked IoT connected devices like sensors, smart meters, and wayfinding) and indirectly (through customer experiences with stolen credit card info, hacked vehicles in lots, and security breaches of their data).
Let’s take a more detailed look at the issues we need to be aware of in the parking industry when putting all of our systems and data online.
Data breaches: storing customer information on hosted or cloud based networks (even if secured according to PCI DSS compliance standards[xi]) makes the information available to hackers. If Ashley Madison and Gmail accounts across China can be hacked – rest assured your data can be stolen too. Know what customer data you’re storing (personal info, payment information, vehicle information, etc.) ensure you’ve taken due diligence to protect it.
Vehicles incorrectly ticketed or towed: as discussed, smart parking meters have cybersecurity weaknesses. If a hacker breaks in, there are several tempting activities to accomplish, like stealing funds, or reporting non-payment and having cars ticketed or towed. Have a dispute process in place and provide restitution where appropriate.
Hardware hacking: everything from the pay station itself to the sensors, cameras, gates, and all IoT connected components of your parking system can experience a hostile takeover. Be sure to fully test your equipment before deploying it, and schedule regular checks and maintenance.
Theft: this covers everything from monetary theft, data theft to theft of the physical vehicle. As an operator, you risk serious reputation damage and the permanent loss of customers should anything be stolen from your parking lot. It’s critical to prevent theft – especially data – as this can have long term, far reaching impacts on customers.
Technologies to Mitigate Risk
Unsurprisingly, there is no magic wand or one-size-fits-all solution to cybersecurity challenges for vehicles or in the parking industry. However, below are a few advancements that can mitigate the risks.
Cryptocurrencies: This new virtual form of payment is growing rapidly – 216% growth in 2017 alone[xii] – and for good reason. Cryptocurrencies are decentralized and cheap, making them an attractive way to collect payments. As for why you should care, these forms of payment are often more secure than credit cards as they use blockchain technology to record transactions. We could certainly apply that technology in parking, having pay terminals match the registered owner of the licence plate to that of the address of the person paying (either using a credit card or a cryptocurrency).
Blockchain: Blockchain is a decentralized way of digitally recording events, transactions or information. Because of duplicate nature of data storage, it’s virtually impossible to hack or alter information.
Consider that a transaction is someone paying for parking in your lot. They enter their licence plate and give you $10. Now that they’ve paid, their licence plate number is recorded in the blockchain, so they can’t pass off the receipt for anyone else to use (benefit to you, the operator). It’s also recorded that their licence plate number is paid in full, so the customer won’t get a ticket (benefit to the customer).
Software: Keeping your anti-virus software up to date and scanning your systems regularly is a must. If you (both as an individual and as a rep for your parking operation) don’t already own virus prevention tools, there are hundreds of options you can purchase for your vehicle, to help prevent attacks in real time and keep you as safe as possible. They can also prevent parking apps and systems from getting hacked, and eliminate scammers from getting endless free parking at your facilities.
It’s the Journey that Matters
Like many anecdotes and quotes and Instagram posts will tell you, it’s not about the destination (secure connected vehicles & parking software and operations), it’s about the journey. That means constantly updating your protocols, knowledge, and practices around vehicle and parking security.
That just about does it for this article. There’s a much longer and more in depth version available, or if you have any questions, or want to chat about cybersecurity or cats, my name is Chelsea Webster, and I’m the Marketing Specialist at ParkPlus System; you can find me on LinkedIn here: https://www.linkedin.com/in/chelsea-webster/
[xi] If you’d like to read the standards, you can find them here: https://www.pcisecuritystandards.org/pci_security/standards_overview