Do we need cyber cops for cars?

ambrozinio/Shutterstock.com

Regulators plan ‘rule-making ready’ research on vehicle control system security.

States nationwide are developing safety guidelines for self-driving cars, but the National Highway Traffic Safety Administration hasn’t even developed safety guidelines for the insecure electronics that come standard in today’s cars.

In response to questions about  the status of automotive cybersecurity research and regulations, agency officials said in a statement that “NHTSA is aware of the potential for ‘hackers’ and other cybersecurity issues whenever technology is involved, however, the agency is not aware of any real-world cybersecurity issues in vehicles.” When asked whether NHTSA is developing voluntary recommendations for manufacturers, agency officials referred back to the statement.

Security problems are real, however. They present risks ranging from car theft to crashes. In 2010, a disgruntled former employee of an auto dealership allegedly remotely deactivated the starters of customers’ vehicles. University researchers have shown that intruders can infiltrate the computers tied to virtually every aspect of automobile mechanics, including brakes, speedometers and entertainment consoles. More sophisticated cars present additional threat vectors that also can be exploitable, such as navigation systems and Bluetooth for hands-free calling.

But, practically speaking, regulating car cybersecurity would be a feat for many reasons, according to the researchers and privacy advocates. For one thing, the rule-making process would constantly lag behind quick-morphing cyber threats. Also, NHTSA might not even know what to say, judging by a recent National Academy of Science study that found the agency remains in the early phases of understanding vehicular network security. Some experts reasoned that NHTSA is not acting because the agency typically does not dictate guidelines until a safety issue is pervasive on the road.

“There’s no clear evidence or no clear strict need for regulation at this point,” said John Maddox, who served as NHTSA associate administrator for vehicle safety research until August. “What we do need is to conduct the research to study the problem very carefully.”

Whether or not car cyber defenses should be mandatory is debatable, but most experts agree that regulators, manufacturers and consumers need a better handle on the matter.

At least four institutions and two automobile associations are developing or have developed recommended best practices. In 2011, the Transportation Department’s John A. Volpe National Transportation Systems Center presented NHTSA with industry guidelines. Just last week, an agency official involved in cyber research planning spoke about safety and dependability at a vehicle cybersecurity workshop the University of Maryland hosted.

$10 million for vehicle electronics safety

NHTSA’s 2013 budget request suggests that the agency may be weighing regulations. The document reveals plans to “conduct rule-making ready research to establish electronic requirements for vehicle control systems” in everyday cars. The budget proposes establishing a $10 million program to study cyber risks, starting in 2013.

Under the strategy, new agency personnel would pinpoint problems that could arise in up-and-coming vehicle electronics before they go into production. “We will identify and evaluate potential solutions and countermeasures and evaluate the need for additional standards,” the budget papers state.

The National Academy of Science’s study, which was released in January -- and famously dispelled allegations that Toyota electronics caused unintended acceleration -- urged NHTSA to get up to speed in cyber. And the report criticized the agency for lacking the technical competency to probe the Toyota issue without help. NHTSA’s Office of Vehicle Safety Research does not study cybersecurity, according to the review.

The proposed 2013 cyber plan aligns with the academy’s advice and also would engage other cyber-related federal agencies. The Defense Department’s Cyber Crime Center, the Pentagon’s computer forensics hub, already is examining Ford’s SYNC in-car voice-recognition system to flag potential cyber threats, according to DC3 contractor Lockheed Martin Corp., which is supporting the research.

Sen. Jay Rockefeller, D-W.Va., chairman of the Commerce, Science and Transportation Committee, is watching NHTSA’s movement on cyber concerns, committee aides said.  “The chairman is aware of the potential issues revolving around in-car computers,” Rockefeller spokesman Kevin McAlister said. The committee “will work to ensure that NHTSA performs the necessary actions to protect drivers and passengers.”

In the lab and during live road tests, researchers from the University of California, San Diego and the University of Washington completely overrode an assortment of safety-critical systems to, for example, stop a vehicle’s engine.

“The kinds of things you worry about is either that your car is leaking information that you wish to be private,” such as your driving habits or what your passengers are saying,  “or that an adversary can control features of your car,”  said Stefan Savage, a UCSD computer science professor and principal investigator on the project.

During one expedition, the team was able to access a car’s internal network to disengage the brakes, making it difficult for the driver to stop. The investigators also succeeded in forcing the brakes to deploy, lurching the driver forward. Another demonstration showed how various entry points allow these sorts of attacks, such as specially crafted CDs, mechanics’ diagnostic tools, FM radios and wireless tire pressure sensors.

An actual car hack

The academy cited the team’s work and pointed to an actual cyber incident that highlights these looming dangers. The dealership ex-employee apparently manipulated systems in customer vehicles to disable the engine. By exploiting the program, he deactivated the starters and Global Positioning System units on about 100 vehicles, leaving the owners stranded. “Obviously, had such an attack compromised a vehicle’s power train, braking and other operating systems while being driven, the consequences could have been much more severe,” the academy report stated.

Volpe experts told NHTSA that sector-specific cyber guidelines require strong federal leadership. “Get involved in the rule-making process early,” their recommendations stated. The Federal Aviation Administration, for instance, took part in vulnerability assessments and collaborated with industry to identify incident response techniques.

Some former NHTSA officials say that until there is clear evidence of real-life threats, mandatory standards would be superfluous and costly for manufacturers and the government.

“I’m not ruling out the need for regulation,” but the need has not presented itself yet, said Maddox, now director of collaborative program studies at Texas A&M Transportation Institute.

If the auto industry develops voluntary standards, NHTSA then should consider whether to release its own guidelines, he said. Right now, the U.S. Council for Automotive Research, comprising engineers from Chrysler Group, Ford and General Motors, has a cyber-physical systems task force that is working on cybersecurity controls. The Society for Automotive Engineers also is examining the issue.

Ford officials rolled off a list of cybersecurity precautions they take in designing all their vehicles, including SYNC-enabled cars. The manufacturer “fuzz” tests key interfaces -- a technique that discharges random information at software while security specialists monitor for signs of failure. Ford spokesman Alan Hall said designers simulate possible vulnerabilities during conception by looking at the people, parts, data flows and other functional elements “to determine where we may have issues with things like data integrity, information disclosure, denial of service, escalation of privilege, tampering or spoofing, etc., and then determine one or more mitigation strategies.”

SYNC has a built-in firewall and application white-listing functions that dictate where downloads are permitted to launch in the system. Also, the vehicle control system network is separate from SYNC’s infotainment features, according to Hall. Software updates must be “code-signed,” or validated as Ford-authored in order to execute “thus preventing unauthorized software installation and access to private information,” he said.

Manufacturers are more up to speed

Maddox said a voluntary regime of cybersecurity safeguards, such as the frameworks the manufacturers are establishing, might be more appropriate for the constantly evolving field of hacking. “The industry would be more knowledgeable and more nimble than government can be in this area,” he said.

Some privacy groups agree that manufacturers should take the lead in creating cyber standards.

“The car manufacturers have a lot of incentive to not put cars on the road that are inherently vulnerable,” said Joseph Lorenzo Hall, senior staff technologist with the Center for Democracy and Technology, a civil liberties organization. If drivers start complaining to NHTSA of “someone messing with you on their OnStar,” the popular support system, that’s where NHTSA might have a role to play, he said. Such a gaping privacy and safety hole might force a recall and ex post facto regulations for cyber safety testing. A car security weakness “probably doesn’t reach their radar until there is big potential for something very bad happening on the road,” he said.

Other civil rights groups, however, back regulations because they believe cyber protections are both necessary and within the agency's authority.

“The potential for drivers in the United States to have their cars tracked or compromised by security flaws in vehicles' embedded computers is a matter of both driver safety and security,” said Amie Stepanovich, associate litigation counsel for the Electronic Privacy Information Center. “Regulations would provide guidance for vehicle manufacturers and baseline protections for all drivers in the United States.”

She added existing state data breach laws might offer citizens some protections, but such legislation is inconsistent and nonexistent in some states.

The UCSD and University of Washington researchers were reluctant to press for regulations and admitted standards development will take years, but they said they are encouraged by NHTSA’s apparent attention to their findings. “We’ve talked with them many times, we’ve been at workshops with them on the topic . . . From my standpoint there certainly appears to be interest and activity related to better understanding the cybersecurity problem and what to do about it,” Savage said. He said he is not familiar with regulatory politics or NHTSA’s thinking.

“It would be very easy to dictate a set of requirements that would either do little good or would be unworkable in practice,” Savage said. Today’s global marketplace means many hands from many part-makers in many facilities touch U.S. cars. “There are complex supply chain issues here because automotive manufacturers are really integrators. There may be no single person who has access to all the source code that goes into a modern vehicle,” so demanding that manufacturers evaluate the whole vehicle may be unfeasible, he said.

Savage’s research stated that Americans should not be overly afraid of cyber intrusions because of the sophistication required to pull off the hacks demonstrated.

Future cars, however, are at risk because they are expected to offer more wireless connectivity and computer controls, the team found.

“The standards process is going to take a while,” Savage said.

Discuss the future of Federal IT with experts, innovators and your peers on Dec. 3 in Washington at Nextgov Prime, the defining event in the federal technology landscape. Learn more at nextgov.com/prime.

(Image via ambrozinio/Shutterstock.com)

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.