Regulators plan ‘rule-making ready’ research on vehicle control system security.
States nationwide are developing safety guidelines for self-driving cars, but the National Highway Traffic Safety Administration hasn’t even developed safety guidelines for the insecure electronics that come standard in today’s cars.
In response to questions about the status of automotive cybersecurity research and regulations, agency officials said in a statement that “NHTSA is aware of the potential for ‘hackers’ and other cybersecurity issues whenever technology is involved, however, the agency is not aware of any real-world cybersecurity issues in vehicles.” When asked whether NHTSA is developing voluntary recommendations for manufacturers, agency officials referred back to the statement.
Security problems are real, however. They present risks ranging from car theft to crashes. In 2010, a disgruntled former employee of an auto dealership allegedly remotely deactivated the starters of customers’ vehicles. University researchers have shown that intruders can infiltrate the computers tied to virtually every aspect of automobile mechanics, including brakes, speedometers and entertainment consoles. More sophisticated cars present additional threat vectors that also can be exploitable, such as navigation systems and Bluetooth for hands-free calling.
But, practically speaking, regulating car cybersecurity would be a feat for many reasons, according to the researchers and privacy advocates. For one thing, the rule-making process would constantly lag behind quick-morphing cyber threats. Also, NHTSA might not even know what to say, judging by a recent National Academy of Science study that found the agency remains in the early phases of understanding vehicular network security. Some experts reasoned that NHTSA is not acting because the agency typically does not dictate guidelines until a safety issue is pervasive on the road.
“There’s no clear evidence or no clear strict need for regulation at this point,” said John Maddox, who served as NHTSA associate administrator for vehicle safety research until August. “What we do need is to conduct the research to study the problem very carefully.”
Whether or not car cyber defenses should be mandatory is debatable, but most experts agree that regulators, manufacturers and consumers need a better handle on the matter.
At least four institutions and two automobile associations are developing or have developed recommended best practices. In 2011, the Transportation Department’s John A. Volpe National Transportation Systems Center presented NHTSA with industry guidelines. Just last week, an agency official involved in cyber research planning spoke about safety and dependability at a vehicle cybersecurity workshop the University of Maryland hosted.
$10 million for vehicle electronics safety
NHTSA’s 2013 budget request suggests that the agency may be weighing regulations. The document reveals plans to “conduct rule-making ready research to establish electronic requirements for vehicle control systems” in everyday cars. The budget proposes establishing a $10 million program to study cyber risks, starting in 2013.
Under the strategy, new agency personnel would pinpoint problems that could arise in up-and-coming vehicle electronics before they go into production. “We will identify and evaluate potential solutions and countermeasures and evaluate the need for additional standards,” the budget papers state.
The National Academy of Science’s study, which was released in January -- and famously dispelled allegations that Toyota electronics caused unintended acceleration -- urged NHTSA to get up to speed in cyber. And the report criticized the agency for lacking the technical competency to probe the Toyota issue without help. NHTSA’s Office of Vehicle Safety Research does not study cybersecurity, according to the review.
The proposed 2013 cyber plan aligns with the academy’s advice and also would engage other cyber-related federal agencies. The Defense Department’s Cyber Crime Center, the Pentagon’s computer forensics hub, already is examining Ford’s SYNC in-car voice-recognition system to flag potential cyber threats, according to DC3 contractor Lockheed Martin Corp., which is supporting the research.
Sen. Jay Rockefeller, D-W.Va., chairman of the Commerce, Science and Transportation Committee, is watching NHTSA’s movement on cyber concerns, committee aides said. “The chairman is aware of the potential issues revolving around in-car computers,” Rockefeller spokesman Kevin McAlister said. The committee “will work to ensure that NHTSA performs the necessary actions to protect drivers and passengers.”
In the lab and during live road tests, researchers from the University of California, San Diego and the University of Washington completely overrode an assortment of safety-critical systems to, for example, stop a vehicle’s engine.
“The kinds of things you worry about is either that your car is leaking information that you wish to be private,” such as your driving habits or what your passengers are saying, “or that an adversary can control features of your car,” said Stefan Savage, a UCSD computer science professor and principal investigator on the project.
During one expedition, the team was able to access a car’s internal network to disengage the brakes, making it difficult for the driver to stop. The investigators also succeeded in forcing the brakes to deploy, lurching the driver forward. Another demonstration showed how various entry points allow these sorts of attacks, such as specially crafted CDs, mechanics’ diagnostic tools, FM radios and wireless tire pressure sensors.
An actual car hack
The academy cited the team’s work and pointed to an actual cyber incident that highlights these looming dangers. The dealership ex-employee apparently manipulated systems in customer vehicles to disable the engine. By exploiting the program, he deactivated the starters and Global Positioning System units on about 100 vehicles, leaving the owners stranded. “Obviously, had such an attack compromised a vehicle’s power train, braking and other operating systems while being driven, the consequences could have been much more severe,” the academy report stated.
Volpe experts told NHTSA that sector-specific cyber guidelines require strong federal leadership. “Get involved in the rule-making process early,” their recommendations stated. The Federal Aviation Administration, for instance, took part in vulnerability assessments and collaborated with industry to identify incident response techniques.
Some former NHTSA officials say that until there is clear evidence of real-life threats, mandatory standards would be superfluous and costly for manufacturers and the government.
“I’m not ruling out the need for regulation,” but the need has not presented itself yet, said Maddox, now director of collaborative program studies at Texas A&M Transportation Institute.
If the auto industry develops voluntary standards, NHTSA then should consider whether to release its own guidelines, he said. Right now, the U.S. Council for Automotive Research, comprising engineers from Chrysler Group, Ford and General Motors, has a cyber-physical systems task force that is working on cybersecurity controls. The Society for Automotive Engineers also is examining the issue.
Ford officials rolled off a list of cybersecurity precautions they take in designing all their vehicles, including SYNC-enabled cars. The manufacturer “fuzz” tests key interfaces -- a technique that discharges random information at software while security specialists monitor for signs of failure. Ford spokesman Alan Hall said designers simulate possible vulnerabilities during conception by looking at the people, parts, data flows and other functional elements “to determine where we may have issues with things like data integrity, information disclosure, denial of service, escalation of privilege, tampering or spoofing, etc., and then determine one or more mitigation strategies.”
SYNC has a built-in firewall and application white-listing functions that dictate where downloads are permitted to launch in the system. Also, the vehicle control system network is separate from SYNC’s infotainment features, according to Hall. Software updates must be “code-signed,” or validated as Ford-authored in order to execute “thus preventing unauthorized software installation and access to private information,” he said.
Manufacturers are more up to speed
Maddox said a voluntary regime of cybersecurity safeguards, such as the frameworks the manufacturers are establishing, might be more appropriate for the constantly evolving field of hacking. “The industry would be more knowledgeable and more nimble than government can be in this area,” he said.
Some privacy groups agree that manufacturers should take the lead in creating cyber standards.
“The car manufacturers have a lot of incentive to not put cars on the road that are inherently vulnerable,” said Joseph Lorenzo Hall, senior staff technologist with the Center for Democracy and Technology, a civil liberties organization. If drivers start complaining to NHTSA of “someone messing with you on their OnStar,” the popular support system, that’s where NHTSA might have a role to play, he said. Such a gaping privacy and safety hole might force a recall and ex post facto regulations for cyber safety testing. A car security weakness “probably doesn’t reach their radar until there is big potential for something very bad happening on the road,” he said.
Other civil rights groups, however, back regulations because they believe cyber protections are both necessary and within the agency's authority.
“The potential for drivers in the United States to have their cars tracked or compromised by security flaws in vehicles' embedded computers is a matter of both driver safety and security,” said Amie Stepanovich, associate litigation counsel for the Electronic Privacy Information Center. “Regulations would provide guidance for vehicle manufacturers and baseline protections for all drivers in the United States.”
She added existing state data breach laws might offer citizens some protections, but such legislation is inconsistent and nonexistent in some states.
The UCSD and University of Washington researchers were reluctant to press for regulations and admitted standards development will take years, but they said they are encouraged by NHTSA’s apparent attention to their findings. “We’ve talked with them many times, we’ve been at workshops with them on the topic . . . From my standpoint there certainly appears to be interest and activity related to better understanding the cybersecurity problem and what to do about it,” Savage said. He said he is not familiar with regulatory politics or NHTSA’s thinking.
“It would be very easy to dictate a set of requirements that would either do little good or would be unworkable in practice,” Savage said. Today’s global marketplace means many hands from many part-makers in many facilities touch U.S. cars. “There are complex supply chain issues here because automotive manufacturers are really integrators. There may be no single person who has access to all the source code that goes into a modern vehicle,” so demanding that manufacturers evaluate the whole vehicle may be unfeasible, he said.
Savage’s research stated that Americans should not be overly afraid of cyber intrusions because of the sophistication required to pull off the hacks demonstrated.
Future cars, however, are at risk because they are expected to offer more wireless connectivity and computer controls, the team found.
“The standards process is going to take a while,” Savage said.
Discuss the future of Federal IT with experts, innovators and your peers on Dec. 3 in Washington at Nextgov Prime, the defining event in the federal technology landscape. Learn more at nextgov.com/prime.