Many cars on the road contain dangerous cybersecurity flaws, according to a Government Accountability Office (GAO) report.
“Modern vehicles contain multiple interfaces—connections between the vehicle and external networks—that leave vehicle systems, including safety-critical systems, such as braking and steering, vulnerable to cyberattacks,” according to the report released to the public on Monday.
GAO interviewed officials from the Departments of Transportation, Commerce, Defense, and Homeland Security as well as industry associations; and 32 industry experts, such as automakers, suppliers, and vehicle cybersecurity firms. They found three major types of security flaws: direct access, short-range wireless, and long-range wireless.
Direct-access flaws were those that required a hacker’s physical presence to attack the vehicle.
“Among the interfaces that can be exploited through direct access, most stakeholders we spoke with expressed concerns about the statutorily mandated on-board diagnostics port, which provides access to a broad range of vehicle systems for emissions and diagnostic testing purposes,” the report said.
Short-range wireless vulnerabilities are those accessible within one kilometer and include the keyless door access and Bluetooth connectivity. Long-range wireless refers to access at distances over one mile and includes satellite radio and cellular connectivity. In fact, 23 of the 32 industry experts surveyed believed that cellular access was the biggest cybersecurity threat to vehicles.
The most recommended solutions to these vulnerabilities were to build cybersecurity into the manufacturing of parts and to separate the safety-critical and non-safety critical systems to prevent hackers from gaining access.
However, the report noted that “complete separation is often not possible or practical because some limited communication will likely need to occur between safety-critical and other vehicle systems.”
In addition, integrating cybersecurity into the manufacturing would only be helpful to new cars being built, leaving those already on the road vulnerable. The report also found that the two most-cited obstacles to cybersecurity implementation in this way were “the lack of transparency, communication, and collaboration regarding vehicles’ cybersecurity among the various levels of the automotive supply chain and the cost of incorporating cybersecurity protections into vehicles.”
The Department of Transportation’s National Highway Traffic Safety Administration (NHTSA) is expected to make a final determination of the full risks of cybersecurity in vehicles, and whether they merit a safety recall, in 2018.
