AMU Emergency Management Public Safety

GAO Urges DOT to Address Vehicle Cyber Security

A growing threat: Cyber attacks on vehicles

Whereas vehicles and computer software once seemed completely independent of each other, such is no longer the case. Not only do modern vehicles increasingly utilize software, but modern vehicles also increasingly make use of software for vital operations and safety-critical functions.

As vehicles catch up with the modern age and become more sophisticated, these vehicles also consequently become more vulnerable to cyber attacks. Because of the growing importance of cybersecurity on vehicle software, the Government Accountability Office (GAO) recently conducted a thorough review of cybersecurity issues that could impact passenger safety in modern vehicles.

The GAO, namely through interviews with industry experts, identified current vulnerabilities in vehicles, studied the potential impact of attacks on these weaknesses, and examined current avenues to mitigate the impact of the potential attacks.

Concerns over wireless technology

The GAO discovered that many systems controlling modern vehicles are vulnerable to cyber attacks, and, even worse, some of these systems control safety-critical features like braking and steering. For example, hackers could potentially gain access to a vehicle’s braking functionality through that vehicle’s Bluetooth interface.

Bluetooth technology usually exists in vehicles to enable hands-free cell phone use for drivers. But a cyber attack on this same Bluetooth technology — if not properly secured — could allow a hacker to utilize this seemingly harmless technology to impact crucial safety components like braking and/or steering.

The GAO reported that wireless attacks on vehicle technology, such as the aforementioned built-in cellular-calling capabilities, could potentially be the biggest threat to passenger safety. However, the GAO noted that experts largely felt that “such attacks remain difficult because of the time and expertise needed to carry them out and thus far have not been reported outside of the research environment.”

Separation could be the key to safety

An popular concept that surfaced throughout the GAO investigation was the idea of “domain separation” among different vehicle components. Many experts believe that a successful approach to securing vehicles includes the practice of separating safety-critical systems and non-safety-critical systems and then securing the separation by making it difficult (or impossible) for the systems to communicate with each other.

A successful “domain separation” approach would theoretically limit the damage that could be done by exploiting a specific vulnerability, given that the targeted vulnerability exists on a network of only non-safety-critical components.

Communication is also key

When questioning the immediate future of vehicle cybersecurity, many experts cited that “lack of transparency, communication, and collaboration” among the different levels of the automotive supply chain is a major hurdle that needs to be overcome to improve overall security and safety.

Overall, the GAO urged to the Department of Transportation (DOT) to better define and document its roles and responsibilities when it comes to cybersecurity and vehicles. While the DOT — and the National Highway Traffic Safety Administration (NHTSA) — have addressed vehicle cybersecurity issues, the GAO noted, neither has determined the role it would have in responding to a real-world vehicle cyber attack as of yet.

Comments are closed.