The Department of Transportation needs a clearer idea of what its responsibilities would be in a real-world cyberattack on connected cars or other vehicles, according to a new Government Accountability Office study.
The report, completed last month but only released on Monday, concludes that numerous interfaces standard in modern vehicles are susceptible to exploits that would allow hackers to gain control of safety-critical systems, including braking and steering.
The study surveyed 32 stakeholders in the automotive industry, including eight automakers, three vehicle cybersecurity firms and seven vehicle cybersecurity researchers. A chief concern among experts was that although the National Highway Transportation Safety Administration has established a vehicle cybersecurity program, the DOT at large has not determined a response method in the case of a catastrophic vehicle hack.
“In today’s vehicles, software code supports both core driving functions, such as braking and steering, as well as advanced safety and convenience features, including adaptive cruise control, forward collision-warning systems, and built-in navigation and Bluetooth systems,” the report states.
Indeed, GAO authors note, a luxury vehicle, with digital networks controlling everything from anti-lock braking systems to air conditioning and seat warming systems, could easily contain as many as 100 million lines of code — more than even an airliner.
“As the lines of vehicle software code increase, so does the potential for cybersecurity vulnerabilities that could be exploited through vehicle cyberattacks,” the report notes.
The authors break vulnerabilities into three categories: direct access, which includes the onboard diagnostics port; mid-range access, including Bluetooth and Wi-Fi; and long-range access, which involves breaching systems through cellular or radio functions.
Although each infiltration method poses risks, the report concludes the most dangerous exploits involve manipulating a vehicle’s cellular communications. In one notorious case, two researchers developed an exploit of the telematics system in the Jeep Cherokee that allowed them to gain remote control of the steering column and braking system of any vehicle in the country without any prior physical access, prompting a recall of 1.4 million vehicles in July 2015.
The study outlines a series of mitigation tactics that counter attempts to hack vehicles, such as incorporating firewalls and using “domain separation” to limit communication between safety-critical systems and others. Many potential solutions like encryption and authentication, however, will take up to five years to integrate into new vehicles, stressing the need for government proactivity.
The threat, the report warns, will only grow as vehicles become smarter.
“We did not focus on cybersecurity vulnerabilities that may emerge as newer types of technologies, such as ‘connected vehicle’ technologies, are introduced into vehicles in the future,” it said.