By Paul Pajares (Senior Threat Researcher, Automotive)
Fleet management is essential to modern business operations, enhancing efficiency and reducing costs. Industries such as logistics, public transportation, and emergency services depend on these systems to ensure timely and reliable service delivery. By streamlining vehicle management, businesses can not only boost efficiency but also maintain compliance with regulations and optimize vehicle lifecycle management.
At the core of fleet management are vehicle tracking systems, which use telematics to gather real-time data such as vehicle speed, location, fuel or battery consumption, routes, driving patterns, and device usage. For example, GPS tracking helps companies safeguard employees and vehicles, contributing to smoother business operations.
However, despite the operational benefits, fleet management systems can present security vulnerabilities. In this article, we explore how authentication issues within these systems might lead to unauthorized access to sensitive telematics data.
Authentication risks in fleet management systems
Basic authentication security protects employee or client credentials from unauthorized users and hackers. However, weaknesses in how fleet management systems store sensitive information can lead to data leaks or breaches, potentially resulting in privacy violations.
We examined 17 randomly selected companies that provide vehicle tracking systems across Asia, Europe, and the US. We assessed their authentication processes and our analysis uncovered a critical vulnerability: the transmission of cleartext passwords in URI parameters alongside usernames. (We have started identifying the contacts for the affected companies as part of our responsible vulnerability disclosure process.)
To ensure secure authentication and authorization, developers should follow best practices, such as hashing credentials (e.g., password salting) before sending them to the server. Without encryption, cybercriminals can intercept credentials through network monitoring or by examining HTTP traffic logs. For browser-based authentication, Transport Layer Security (TLS 1.3) is essential, as it encrypts data to prevent unauthorized access. Unfortunately, some companies still permit logins without using HTTP or SSL/TLS encryption.
Table 1 shows that accessing some systems via direct HTTP using exposed credentials provides access to critical data. This includes GPS coordinates, vehicle speed, ignition status, device IDs, odometer readings, and complete addresses. In some cases, the password reset process uses only Base64 encoding, along with a secret code and an email address, which is an inadequate security measure.
| Country of operation | Has cleartext password in URI | Uses non-HTTPs login | API content |
|---|---|---|---|
| Brazil | Yes | No | |
| Bulgaria | Yes | Yes | Payment details |
| Hungary | Yes | No | GPS coordinates, speed, ignition status, device ID |
| Hungary | Yes | Yes | Boolean |
| India | Yes | No | “Requires authentication” |
| India | Yes | No | “Requires authentication” |
| Japan | Yes (Base64 password) | No | “Requires authentication” |
| Poland | Yes | No | GPS coordinates, device ID, ignition status, speed |
| Poland | Yes | No | “Requires authentication” |
| Poland | Yes | No | Several device IDs and names |
| Poland | Yes | Yes | |
| Romania | Yes | No | Several device IDs, ignition status, speed, GPS coordinates |
| Serbia | Yes | Yes | Variety of field names |
| Thailand | Yes | Yes | JSessionID |
| US | N/A (Base64 password reset) | N/A | “Requires authentication” |
| US | Yes | Yes | GPS coordinates, speed, complete address, odometer |
| US | Yes | No | “Requires authentication” |
Table 1. Companies with exposed vehicle tracking systems labeled based on their country of operation
Figure 1. A Hungary-based vehicle tracking system company accepting non-HTTPS and authenticating cleartext passwords
Figure 2. A Hungary-based vehicle tracking system API service not employing authentication and exposing cleartext passwords
Over time, cybercriminals can exploit these authentication flaws to extract sensitive information or manipulate vehicle data, potentially leading to operational disruptions, delivery delays, financial losses, reputational damage, and even road accidents. Our findings highlight a serious vulnerability in the login process and emphasize the urgent need to address security weaknesses in fleet management systems.
Securing fleet management systems
Driving behavior, precise vehicle location, customer personally identifiable information (PII), and various telematics data (such as speed and ignition status) are all at risk, and any exposure can impact user safety and privacy. Access to this data typically occurs through web services and APIs, making dedicated API security measures critical. To prevent the misuse or abuse of API services, security efforts must account for misconfigurations, API inventories, and potential vulnerabilities. Strong API security can also deter malicious actors from scraping data for financial gain by making web APIs less accessible.
Moreover, since telematics systems are implemented via APIs, companies must conduct thorough security exercises, including penetration testing and addressing OWASP’s top 10 web application security risks. Encryption mechanisms should be used to securely transfer, process, and store data.
For electric vehicles (EVs), there are specific fleet management considerations:
- Battery management: Systems monitor battery health and charge levels, optimizing charging schedules to keep vehicles operational. Maintenance scheduling for software updates and battery systems is a key priority.
- Cost management: Cost management teams can analyze the total cost of ownership, including electricity vs. fuel expenses, ensuring cost-effectiveness and taking advantage of incentives or rebates for EVs.
- Vehicle tracking: The focus is on real-time GPS location, usage, and ignition status, ensuring range monitoring to avoid running out of charge. This also includes route optimization to conserve battery life and real-time updates on traffic, weather, and charging station availability.
- Security and theft prevention: Real-time location tracking makes recovery easier in the event of theft.
As EV adoption grows, fleet management will evolve to include electric trucks and other vehicles, requiring an expanded security perimeter with additional layers of protection. Vulnerabilities such as exposed credentials and weak authentication put sensitive telematics data at risk, potentially leading to serious consequences. By addressing these issues through encryption, API security, and strong authentication protocols, companies can better protect their fleets and EVs as they become central to operations.
VicOne recently partnered with 42Crunch to combat API attacks and vulnerabilities by strengthening the security of the telematics data exchange crucial to the EV ecosystem. As API attacks increase, this collaboration will play a key role in securing data and maintaining the integrity of the EV landscape.
