We’re losing the race to secure our smart autos

By: William Jackson
April 29, 2016

Facebooktwitterredditpinterestlinkedinmail
William Jackson
William Jackson

As cars become smarter and safer they also are becoming more vulnerable to hacking, and there is little that industry or government can do to improve their cybersecurity in the immediate future.

That is the takeaway from a recent report from the Government Accountability Office (GAO). The proliferation of electronic systems in vehicles is outpacing industry’s ability to secure them, even as vulnerabilities are being identified and exploits demonstrated. The problem is not being ignored. The Transportation Department is researching vehicle cybersecurity and studying the need for regulation. Industry is developing best practices and standards for coding, and is considering its own automotive Information Sharing and Analysis Center.

But the economic and logistical realities of the auto industry make it unlikely that major improvements will be seen soon. Security technology cannot be added on to existing vehicles, but must be incorporated during the design and production process, which takes about five years. The high cost of major redesigns encourages companies to continue using legacy software. And there is a lot of it.

“DOT publications have indicated that a modern luxury vehicle could contain as much as 100 million lines of software code,” the GAO says. “In comparison, a Boeing 787 Dreamliner has about 6.5 million lines of software code.” An F-22 fighter has a mere 1.7 million lines.

The GAO produces a wealth of valuable publications, but not many are described as good reading. The report on Vehicle Cybersecurity is one of these rarities. It is a fascinating account of the current state of auto cybersecurity, worthwhile reading for specialists and for anyone who is interested in what is under the hoods of their cars.

Electronics in cars are not new. Systems for reporting emissions control data go back to the 1970s. Like many operational and control systems, these early ones were silo technology, available only to those with direct access to the cars. Then systems began talking with each other and the Control Area Network was developed in 1985, without cybersecurity and before external networking. Today, internal and external interfaces leave vehicle IT—including critical safety systems such as braking and steering—vulnerable to both direct and remote cyberattacks.

Key Interfaces That Could Be Exploited in a Vehicle Cyberattack
Key Interfaces That Could Be Exploited in a Vehicle Cyberattack

According to the DOT’s National Highway Traffic Safety Administration (NHTSA) there were about 50 embedded electronic control units in a typical vehicle by 2009. Today it is 70 to 100, many of them working together and communicating within and outside of the vehicle, and the number and complexity is growing.

Security researchers demonstrated remote attacks against electronic systems in 2011, and that year NHTSA began including cybersecurity in its vehicle safety research. The agency is studying the need for cybersecurity regulations for autos, but a final determination will not be made before 2018. With a five-year vehicle design cycle, any regulatory requirements will not appear until 2023 or later. In the meantime, the agency is expected to soon produce guidance to help industry determine when cybersecurity vulnerabilities should be considered safety defects and merit a recall.

Fiat Chrysler issued the first cybersecurity recall in 2015, for 1.4 million cars, after a demonstration of a hack against a Jeep.

The news is not all bad. No cyberattacks have been reported in the wild and industry experts say auto hacks would be difficult and require a high level of sophistication. In 2013, NHTSA said 94 percent of highway crashes were due to human error, so backing up error-prone humans with technology is likely to provide a net gain for vehicle safety.

But the vulnerabilities are real, the stakes are high and exploits eventually will appear. Serious attention and hard work is needed in both government and industry to closing this widening cybersecurity gap.