Intruders can tap into vehicle systems to access cellphone calls, GPS signals—even the brakes—with no industry regulations in sight.
A U.S. senator drives from Capitol Hill to her home in Virginia, listening to the CD a constituent gave her. Going with the speed of traffic at 60 miles per hour, her brakes suddenly engage. Then an SUV rams the politician’s sedan from behind, killing her on impact. It turns out an extremist assassin had hijacked the car’s controls after infecting the CD with malicious code that penetrated the vehicle’s network.
In another scenario, two intelligence agents driving to CIA headquarters get a call from their branch chief, which the driver answers on a hands-free Bluetooth connection. After hanging up, the agents brainstorm how to pursue the tip they’ve just received while a foreign intelligence operative records their conversation. The adversary had cracked the Bluetooth system to bug the in-car microphone.
Think about cyber threats and probably the last thing that comes to mind is your car. But cars can expose personal information through features like OnStar and Ford SYNC. Hackers can unlock the doors, kill the engine and deactivate the starter. For now, the chances of such exploits happening at this point are slim, given the sophisticated technical skills required. But they will become easier as car systems become more intertwined with commercial communications networks.
Researchers have proved during live road tests that these wireless attacks can work. Aggressive driving could take on new meaning in the absence of cyber rules for the road.
Wireless services like SYNC and OnStar embedded in an in-dash electronics panel can offer attackers access to personal information and critical operational components, like brakes.
Bluetooth and cellular links have “roots in other worlds,” says Stefan Savage, a Univer-sity of California, San Diego computer science professor and principal investigator on the hack experiments. “Bluetooth is not just used in your car. It’s used in your iPod. It’s a very general protocol that’s designed to do a lot of different things and that tends to create problems.”
The really scary part: There are no guidelines for automobile cyber safety. Regulators either won’t or can’t do much about the risks.
In response to questions about the status of network security research and mandates, National Highway Traffic Safety Administration officials said in a statement that “NHTSA is aware of the potential for ‘hackers’ and other cybersecurity issues whenever technology is involved; however, the agency is not aware of any real-world cybersecurity issues in vehicles.” When asked by Government Executive whether NHTSA is developing recommendations for manufacturers, officials referred back to the statement.
Security problems are real, however. In 2010, a disgruntled former employee of an auto dealership allegedly remotely deactivated the ignition systems of customers’ vehicles in Austin, Texas. That same year, the researchers showed how intruders can infiltrate computers tied to virtually every aspect of a car’s functionality, including speedometers and entertainment consoles.
Practically speaking, regulating cybersecurity on the road would be a feat for many reasons, say academics and privacy advocates. For one thing, the rule-making process would constantly lag behind quick-morphing threats. Also, NHTSA might not even know what to say, judging by a recent National Academy of Sciences study that found the agency is in the early stages of understanding vehicular network security. Some experts reason that NHTSA is not acting because the agency typically doesn’t until a safety issue is pervasive on the road.
“There’s no clear evidence or no clear strict need for regulation at this point,” says John Maddox, who was NHTSA’s associate administrator for vehicle safety research until August 2012. “What we do need is to conduct the research to study the problem very carefully.”
Most experts agree that regulators, manufacturers and consumers must get a better handle on vehicle cyber defenses.
At least four institutions and two automobile associations are developing recommended best practices. In 2011, the Transportation Department’s John A. Volpe National Transportation Systems Center presented NHTSA with advice on how to go about drafting guidelines. In November 2012, an agency official involved in cyber research planning spoke out about car safety and dependability at a workshop the University of Maryland hosted.
Revving Up Research
NHTSA’s 2013 budget request suggests that the agency may be weighing regulations. The document reveals plans to “conduct rule-making-ready research to establish electronic requirements for vehicle control systems” in everyday cars. The budget proposes establishing a $10 million program to study cyber risks, starting this year.
The National Academy of Sciences’ study, which was released in January 2012—and famously dispelled allegations that Toyota electronics caused unintended acceleration—urged NHTSA to get up to speed in cyber. The report criticized the agency for lacking the technical competency to probe the Toyota issue without outside help. NHTSA’s Office of Vehicle Safety Research does not study cybersecurity, according to the academy.
The proposed 2013 agenda aligns with the academy’s advice and also would involve other cyber-related federal agencies. Already, the Defense Department’s Cyber Crime Center, which is the Pentagon’s computer forensics hub, has examined the SYNC in-car voice- recognition system to flag potential threats, according to contractor Lockheed Martin Corp. Under the budget strategy, NHTSA staff would attempt to pinpoint problems in car electronics before they go into production.
Sen. Jay Rockefeller, D-W.Va., chairman of the Commerce, Science and Transportation Committee, plans to follow the regulator’s progress in charting cyber concerns, committee aides say. “The chairman is aware of the potential issues revolving around in-car computers,” Rockefeller spokesman Kevin McAlister says, noting the committee “will work to ensure that NHTSA performs the necessary actions to protect drivers and passengers.”
In the lab, researchers from UC San Diego and the University of Washington overrode an assortment of car safety systems, unafraid to meddle with the engine. “The kinds of things you worry about is either that your car is leaking information that you wish to be private,” such as your driving habits or what your passengers are saying, “or that an adversary can control features of your car,” Savage says.
During one expedition, the team was able to access a car’s internal network to disengage the brakes, making it difficult for the driver to stop. The investigators also succeeded in forcing the brakes to deploy, lurching the driver forward. Another demonstration showed how seemingly innocuous car tools facilitate these sorts of attacks, such as infected music CDs, FM radios and wireless tire pressure sensors.
Citing the researchers’ work, the academy pointed to an actual cyber incident that highlights looming dangers. The dealership ex-employee reportedly manipulated in-car systems that lock the engine when clients skip payments—essentially an alternative to repossession. By exploiting the program, he immobilized the starters and Global Positioning Systems on about 100 vehicles, leaving drivers’ parked cars stranded. “Obviously, had such an attack compromised a vehicle’s power train, braking and other operating systems while being driven, the consequences could have been much more severe,” the academy report stated.
Perhaps the creepiest situation, albeit highly theoretical, is one in which thugs send unwitting drivers on suicide missions. “One can easily envision hypothetical cyberwar or terrorist scenarios,” in which attackers commandeer vehicles en masse via an infected audio file “and then, later, trigger them to simultaneously disengage the brakes when driving at high speed,” the research team speculated.
Some former NHTSA officials say that until there is hard proof of real-life threats, mandatory standards would be superfluous and costly for manufacturers and the government. “I’m not ruling out the need for regulation,” but it has not presented itself yet, says Maddox, now director of collaborative program studies at the Texas A&M Transportation Institute.
If the auto industry develops voluntary standards, NHTSA then should consider whether to release its own guidelines, he says. The U.S. Council for Automotive Research, which includes engineers from Chrysler Group, Ford Motor Co. and General Motors, has deputized a task force to work on cybersecurity controls. SAE International, an association of automotive engineers, also is examining the issue.
Ford officials rolled off a list of cybersecurity precautions they take in assembling vehicles, including SYNC-enabled cars. The manufacturer checks key interfaces in “fuzz” tests—a technique that spews random information at automobile software while specialists monitor for signs of failure. Ford spokesman Alan Hall says specialists simulate possible vulnerabilities during production by looking at the people, parts, data flows and other functional elements “to determine where we may have issues with things like data integrity, information disclosure, denial of service, escalation of privilege, tampering or spoofing, etc., and then determine one or more mitigation strategies.”
SYNC has a built-in firewall and an application white-listing function that dictates which programs can be launched in car systems. Also, the vehicle control system network is separate from SYNC’s infotainment features, according to Hall. Software updates must be “code-signed,” or validated as Ford-authored to launch, “thus preventing unauthorized software installation and access to private information,” he says.
Maddox says a voluntary regime of cybersecurity safeguards, like the manufacturers’ ongoing efforts, might be appropriate for the constantly evolving field of hacking. “The industry would be more knowledgeable and more nimble than government can be in this area,” he says. Some privacy groups agree that automotive companies should take the lead in writing cyber standards. “The car manufacturers have a lot of incentive to not put cars on the road that are inherently vulnerable,” says Joseph Lorenzo Hall, senior staff technologist with the Center for Democracy and Technology, a civil liberties organization.
If drivers start complaining about “someone messing with you on their OnStar,” that’s where NHTSA might have to step in, he says. Such a gaping security hole might force a recall and ex post facto regulations for cyber safety tests. A computer weakness “probably doesn’t reach their radar until there is big potential for something very bad happening on the road,” he adds.
Other activists, however, want hard regulations because they believe rules are both necessary and within the agency’s authority to hand down.
“The potential for drivers in the United States to have their cars tracked or compromised by security flaws in vehicles’ embedded computers is a matter of both driver safety and security,” says Amie Stepanovich, associate litigation counsel for the Electronic Privacy Information Center. “Regulations would provide guidance for vehicle manufacturers and baseline protections for all drivers in the United States.” She adds that existing state data breach laws might offer citizens some protections, but such legislation is inconsistent and nonexistent in some states.
The university researchers are reluctant to press for regulations, acknowledging standards development will be challenging, but they are encouraged by NHTSA’s apparent attention to their studies. “We’ve talked with them many times, we’ve been at workshops with them on the topic . . . From my standpoint there certainly appears to be interest and activity related to better understanding the cybersecurity problem and what to do about it,” Savage says. He says he is not familiar with regulatory politics or NHTSA’s thinking.
“It would be very easy to dictate a set of requirements that would either do little good or would be unworkable in practice,” Savage says. Today’s global marketplace means many hands from many part-makers in many facilities touch U.S. cars. “There are complex supply chain issues here because automotive manufacturers are really integrators. There may be no single person who has access to all the source code that goes into a modern vehicle,” he says, adding that requiring manufacturers to test the whole vehicle may be unfeasible.
Savage adds, “The standards process is going to take a while.”