Headaches likely to grow over auto cybersecurity concerns

GAO report says government and industry efforts to address vehicle cybersecurity are unlikely to provide many benefits for vehicles already operating on the roads today or those currently in the design and production stages

vehicle cyber security
Credit: GOA analysis of stakeholder information

The concerns around the cybersecurity of your car are likely magnify in the near term while experts try to figure out what can be done simply to eliminate risks.

But while some short-term fixes may develop, forthcoming government auto cybersecurity standards won’t happen until at least 2018. Furthermore, technologies, such as message encryption and authentication, which can be used to secure and verify the legitimacy of communications occurring along in-vehicle networks—cannot be incorporated into existing vehicles. Rather, such technologies must be incorporated during the vehicle design and production process, which according to experts, will take approximately 5 years to complete, according to a report out this week by the Government Accountability Office.

+More on Network World: What advanced tech will dominate your car by 2025? IBM knows+

The GAO notes that most modern vehicles contain multiple interfaces—connections between the vehicle and external networks—that leave vehicle systems, including safety-critical systems, such as braking and steering, vulnerable to cyber-attacks.

“Researchers have shown that these interfaces—if not properly secured—can be exploited through direct, physical access to a vehicle, as well as remotely through short-range and long-range wireless channels. For example, researchers have shown that attackers could compromise vulnerabilities in the short-range wireless connections to vehicles' Bluetooth units—which enable hands-free cell phone use—to gain access to in-vehicle networks, to take control over safety-critical functions such as the brakes,” the GAO stated.

+More on Network World: World’s coolest concept cars+

Among the interfaces that can be exploited through direct access, most stakeholders the GAO said it spoke with expressed concerns about the on-board diagnostics port, which provides access to a broad range of vehicle systems for emissions and diagnostic testing purposes.

Some of the other concerns and issues the GAO pointed out include:

  • The Department of Transportation's (DOT) National Highway Traffic Safety Administration (NHTSA) has taken steps to address vehicle cybersecurity issues but has not determined the role it would have in responding to a real-world vehicle cyber-attack. For example, NHTSA added more research capabilities in this area and is developing guidance to help the industry determine when cybersecurity vulnerabilities should be considered a safety defect, and thus merit a recall; it expects to issue this guidance by March 31, 2016.
  • Among the interfaces that can be exploited through direct access, most experts the GAO spoke with expressed concerns about the statutorily mandated on-board diagnostics port, which provides access to a broad range of vehicle systems for emissions and diagnostic testing purposes.
  • Wireless attacks, such as those exploiting vulnerabilities in vehicles' built-in cellular-calling capabilities, would pose the largest risk to passenger safety. Such attacks could potentially impact a large number of vehicles and allow an attacker to access targeted vehicles from anywhere in the world. Despite these concerns, some stakeholders pointed out that such attacks remain difficult because of the time and expertise needed to carry them out and thus far have not been reported outside of the research environment.
  • The majority of industry experts GAO spoke with (22 out of 32) indicated that—to the extent possible—automakers should locate safety-critical systems and non-safety-critical systems on separate in-vehicle networks and limit communication between the two types of systems, a concept referred to as “domain separation.” However, some of these stakeholders also pointed out that complete separation is often not possible or practical because some limited communication will likely need to occur between safety-critical and other vehicle systems.
  • The lack of transparency, communication, and collaboration regarding vehicles' cybersecurity among the various levels of the automotive supply chain and the cost of incorporating cybersecurity protections into vehicles are two of the most frequently cited challenges to auto cybersecurity.
  • Two U.S. industry associations have been leading the effort to establish an Automotive Information Sharing and Analysis Center (ISAC) to collect and analyze intelligence information and provide a forum for members to anonymously share threat and vulnerability information with one another. Selected industry stakeholders GAO spoke to, as well as DOT officials, generally expressed positive views regarding the potential effectiveness of an Automotive ISAC.
  • DOT publications have indicated that a modern luxury vehicle could contain as much as 100 million lines of software code. In comparison, a Boeing 787 Dreamliner has about 6.5 million lines of software code. According to researchers and others, the use of software in vehicles is likely to increase as more advanced vehicle technologies and connected vehicle technologies are incorporated into autos.
  • As lines of software code in vehicles increases, so does the potential for software errors, such as coding errors, and related vulnerabilities.
  • While the possibility that remote cyberattacks could occur outside theresearch environment is concerning, some experts have also pointed out that attacks comparable to the hacking demonstrations so far would be complex to execute. Specifically, most of these stakeholders noted that such attacks would likely require a high level of hacking sophistication, including specialized knowledge. 
  • In addition, one leading researcher predicted that those who would execute remote cyberattacks would be those with previous experience hacking into other computer systems; for someone with no such experience, hacking into a vehicle remotely would be very difficult. To date, there have been no remote cyberattacks with safety impacts reported outside of the research environment. In addition, determining the risk that such a remote cyberattack will occur in the near future is challenging, especially because of the difficulty of predicting the actions of cyber attackers and since modern vehicles’ designs vary widely (with some vehicle makes and models more vulnerable than others to such an attack). 
  • However, most selected industry stakeholders GAO interviewed (26 out of 32)expressed concerns that real-world attacks with safety implications could occur in the near future, particularly as automakers begin deploying autonomous (i.e., self-driving) vehicles and connected-vehicle technologies. For instance, some observers expressed concerns that as vehicles become increasingly autonomous–and assume control of more functions traditionally controlled by the driver such as steering and braking—it could become easier for remote cyberattacks to reach vehicles’ safety-critical systems. This is because autonomous vehicles’ systems will be tightly linked and highly responsive to inputs from external systems, such as sensors and the Global Positioning System, much more so than they currently are today.  
  • Check out these other hot stories:

More protection needed to guard grid from electromagnetic storm threat

US Marshals set to auction fraudster’s $1.5M high-end auto collection

NASA gives solar ionic propulsion a monster boost

‎DARPA: Researchers develop chip part that could double wireless frequency capacity

Top 10 space junk missions

Energy Dept. serves-up $30M for future connected, automated cars

IRS: Tax deadline looms, scammers get more frantic

Trade commission will review contentious Cisco-Arista patent dispute

FBI offers $25k reward for Andy Warhol Campbell’s Soup painting heist

DARPA moves toward spacecraft that can fly 10X in 10-days

10 best cloud SLA practices

The birth of IT: The IBM System/360 hails 52

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.