Why Car-Hacking Could Threaten the Federal Government

Elon Musk, CEO of Tesla Motors Inc., introduces the Model X car at the company's headquarters Tuesday, Sept. 29, 2015, in Fremont, Calif.

Elon Musk, CEO of Tesla Motors Inc., introduces the Model X car at the company's headquarters Tuesday, Sept. 29, 2015, in Fremont, Calif. Marcio Jose Sanchez

Featured eBooks

Digital First
Cybersecurity & the Road Ahead
Emerging Technology Trends

A report on vehicle cybersecurity found that modern cars, especially those made in 2015 or later, are highly susceptible to hacking.

John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology and government. He is currently the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys

If you are like me, you probably think the concept of a self-driving car is pretty cool. Let me sleep an extra hour in the back while my vehicle navigates the morning Beltway traffic any day. Tesla Motors is even working to try and make self-drivers look cool.

But while true self-driving cars are likely years away from mainstream use, many motorists may one day be surprised to discover they are already, sort of, driving one right now.

The latest Government Accountability Office vehicle cybersecurity report found that modern cars, especially those made in 2015 or later, are highly susceptible to hacking that could allow for the remote takeover of the vehicle.

The problem, according to the report, is that new systems and features, some of them for safety and some for comfort, are constantly being added to new models.

In 2009, a typical vehicle had about 50 embedded electronic control systems. Today, many cars rolling off the assembly lines have 100 or more. And those systems are increasingly complex, able to communicate with other systems within the vehicle, onboard control computers and even remotely back to data collection servers.

Many of these systems have been put into vehicles with almost no thought about cybersecurity, and quite a few use verbose, inefficient and nonstandard code – which makes them even more vulnerable.

“Department of Transportation publications have indicated that a modern luxury vehicle could contain as much as 100 million lines of software code,” the GAO report states. “In comparison, a Boeing 787 Dreamliner has about 6.5 million lines of software code. An F-22 fighter has a mere 1.7 million lines.”

So far, nobody has reported having their vehicle cyberattacked while driving, but researchers have proven it is possible.

In 2015, hackers demonstrated some of the vulnerabilities by killing the engine of a Jeep while it was, in a test environment, speeding down the highway. This lead to the very first cybersecurity recall, when Fiat Chrysler issued one that affected 1.4 million of its cars.

Fiat Chrysler got caught behind a bad publicity storm after that incident and pretty much had to issue the recall, but no actual laws yet require any type of cybersecurity standards for vehicles.

The National Highway Traffic Safety Administration is studying the issue, but won’t make a recommendation about new standards until at least 2018. Millions of vehicles will be produced between now and then, with each generation more susceptible to remote tampering than the last.

Given that the federal government is the owner of one of the largest fleets of vehicles in the world, the cybersecurity health of such a valuable asset pool should probably be a priority.

What if someone figures out a glitch that shuts down all the mail trucks? And then, there are special vehicles to worry about, like the presidential limousine. Does it have any special, antivirus-like software protecting its systems from remote hacking, or is it just as vulnerable, or even more so, than my Hyundai Elantra?

I decided against calling the White House Press Office and asking “Can the president’s limo be hacked?”

But if I had to guess, I would say the in-vehicle electronics like the conferencing equipment and other IT devices are most certainly shielded and encrypted, but perhaps not the normal vehicle systems like power steering, tire pressure monitors and climate controls found in most cars. I hope they are protected, but it would be easy enough to overlook something in those 100 million or so lines of code.

Waiting until 2018 to even recommend a way to patch cyber vulnerabilities in vehicles may be far too long. The only factors preventing some type of mass vehicle hacking epidemic right now are that doing something like that would require an incredibly high level of skill, and there would probably be no profit in it.

Those systems aren’t protecting a bank after all. But they are protecting our lives when we go out on the road, so perhaps a little more effort should be put into securing that waterfront. At least until we can turn things over to our self-driving cars.