To be honest, I chose this topic because of a personal experience. On my way back from Oslo, I was a bit surprised when the airline staff at the gate asked me to show my boarding pass in the mobile app instead of scanning it at the counter as usual. Later, I read about a cyberattack on Collins Aerospace’s MUSE software, which affected several major European airports. Apparently, I couldn’t stop thinking about this for the next few hours.
By nature, telematics solutions are both powerful and convenient. Trip data, CAN bus information, device management, analytics, process automation – all of it revolves around the cloud, APIs, and hundreds of connected devices in the field. But the more data flows through this chain and the more complex the infrastructure becomes, the greater the interest not only from clients but also from those who want to steal, alter, or exploit this data for their own purposes.
Attacks on telematics services are becoming less rare and far more sophisticated. It’s not only trackers that are under fire, but also drivers’ personal data, integrators’ accounts, API tokens, and even the business logic of entire platforms. In this article, I’ll give a quick overview of the main pain points and risks, along with some advice on how to avoid at least the most common pitfalls.
OEMs are next in line?
Car manufacturers are facing a new reality: vehicles are becoming increasingly “connected,” and with that, the risks are growing too. In 2021, there were about 237 million connected cars worldwide. By 2025, that number will surpass 400 million (Statista). Back in 2020, only 30 million new cars were sold with internet features – just 41% of the market. By 2030, almost all of them will be connected – around 96% of new cars sold.
Here’s the challenge. OEM infrastructure is no longer limited to factories and internal IT systems. It has grown into a massive ecosystem: cloud services for telematics and fleet management, OTA updates and remote diagnostics, plus systems for manufacturing, development, and employee support. Some of these services come from third-party vendors, and networks within OEMs are not always segmented the way they should be.
The result is a single interconnected system, where one weak link can open the door for attackers to the entire network. And the more vehicles come online, the more attractive this target becomes.
Fleet management systems
You might not remember any news from September last year, but Toyota’s U.S. division certainly does. Hackers from the ZeroSevenGroup stole 240 GB of data, including information about employees, customers, contracts, and even the company’s network infrastructure. A full report on the damage still hasn’t been published. At first, Toyota admitted the theft, then backtracked and claimed that one of its subsidiaries had been attacked instead. Either way, this case showed how a flaw in a single element can lead to a leak of sensitive data and compromise the entire infrastructure.
More recently, in June of this year, cybersecurity experts reported a serious vulnerability in the fleet management system of Assured Telematics Inc. (ATI). This product is used by transportation companies worldwide to monitor and control vehicle operations, as well as to store and process related data. The issue allowed an unauthenticated user to remotely access internal system information, collect details about file structures and software versions, and, in some cases, even obtain administrative accounts. If actively exploited, this could have resulted in stolen driver data, disclosure of transport routes, and exposure of vehicle locations.
The vendor quickly released a patch as all the versions before February 6, 2025, might have been affected. Although no confirmed cases of exploitation had been reported at the time of publication, this incident clearly demonstrated that telematics systems remain a prime target for cybercriminals. Data about the movement of vehicles and cargo is a valuable asset, and if it falls into the wrong hands, the risks extend beyond cybersecurity into the realm of real business and critical infrastructure threats. But should it be something complex to become a target?..
Devices
Even a simple GPS tracker can become a gateway into the system. Many devices ship with default logins and passwords that are rarely changed. Old firmware often contains unpatched vulnerabilities. If a malicious actor gains access to such a tracker, they can intercept data about location, speed, and driver behavior.
A single compromised tracker can provide attackers with a foothold to move deeper into the infrastructure. In large fleets, this is especially critical – thousands of devices create thousands of potential entry points. Newer models come with TLS and authentication, but millions of older units in the field remain vulnerable. This is why monitoring firmware versions and keeping devices updated is a cornerstone of telematics security.
Take, for example, an asset tracker installed in a 40-foot shipping container. It can be jammed or spoofed with fake coordinates, and while you’re waiting for your cargo to be unloaded in Singapore, the container may already be on a trailer headed to Hungary.
BLE tags are widely used for warehouse, logistics, and indoor tracking. They’re compact, inexpensive, and transmit signals over a short range to gateways or smartphones. Modern versions of Bluetooth have strengthened protection with encryption and secure pairing, but radio signals remain inherently open – any receiver nearby can detect the device. Attackers can read tag identifiers, and with vulnerabilities in firmware or protocol implementations, even replay the signal to create a false impression of an asset’s location. The firmware on such tags is often simple and rarely updated, and the protection of data transmission channels is minimal or non-existent.
Channels
In the flespi architecture, there is another layer – the entry point for all traffic, the place where devices first interact with the platform. And this layer comes with its own specifics and risks that must be taken into account.
At the channel level, we provide a solid set of measures – traffic encryption with TLS 1.3, support for custom certificates, unique endpoints, IP whitelisting and filtering. The infrastructure is protected against DDoS attacks and invalid traffic, and all connection attempts are logged in detail. Still, it’s important to understand the weak points: by default, a channel accepts connections from any IP, and if additional filters are not enabled, this leaves unnecessary opportunities for attackers. An incomplete security configuration can turn the channel into the weakest link – one that is easy to overlook, yet directly critical for the security of the entire system.
Protocols
Communication between devices happens through protocols – their “languages.” On flespi alone, there are more than a hundred integrated protocols, each with its own level of security maturity, because every manufacturer has its own perspective on data protection.
Most telematics protocols were originally designed without encryption or TLS support. Even when newer devices and protocols are capable of using secure channels, many operators and integrators either don’t enable these features or don’t know they exist. This creates a serious issue: location and behavioral data may be transmitted in plain text, making it easy to intercept or manipulate. New protocols are more secure, but millions of devices still rely on older, insecure channels, and the consequences can be severe – from data leaks to direct interference with equipment.
Access levels
Even if you’re confident that you’re using a protocol with the highest available security, the next weak spot often turns out to be the human factor – specifically, access rights. “Never-expiring tokens,” forgotten API keys, logins passed between employees – this is everyday reality. The problem often lies in neglecting ACL settings: who really has access to what. The “least privilege” principle is ignored all too often.
Yes, you can restore deleted devices or even the whole channels from the recycle bin (if its URL is not taken by some other channel). But the philosophy of our platform does not limit the number of operations, including bulk device deletions via a single REST API request. So if you accidentally grant access to a third party (say, an unscrupulous contractor), you may one day find yourself staring at an empty dashboard.
This is why it’s worth conducting a basic security audit: review your tokens, access levels, and who exactly has permissions. Don’t forget that employees leave and join, and thorough offboarding is just as important as onboarding. Token expiration and rotation, user activity logs, changes to primary emails – all of these need attention. And of course, training and accountability are critical, so that your team understands the consequences of different access levels.
So, is it really that bad?
It depends on how you look at it. The value of any hack comes down to the tools and resources an attacker is willing to commit. In theory, anything can be breached. But if a system is hardened to the point of exhaustion, chances are the attacker will simply give up. Hacktivists might poke around and test your defenses, while black-hat hackers need a strong incentive – after all, it’s a serious crime.
But that’s not the only reason why you can’t “ignore” security. This isn’t just about defending against abstract threats – it’s about control over your business. Security is not a one-time project; it’s an ongoing process, and in today’s world, it matters more than ever.
Telematics platforms provide flexibility and access, but that’s only part of the picture. The problem is that security in telematics often remains invisible. There’s no error on the dashboard, no push notification. Everything looks fine – until someone walks away with an API key that has full privileges or intercepts traffic between a device and the server.
While flespi provides comprehensive security tools, proper implementation and ongoing monitoring are crucial for maintaining a secure telematics infrastructure. In 2025, ignoring cybersecurity means knowingly taking risks. And instead of fixing the aftermath, it’s much simpler (and cheaper) to revisit your access policies, strengthen encryption, and make security audits part of your everyday routine.
Stay safe, and stay secure. :)