Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)

An In-Depth Analysis of How Automobiles Can Be Hacked

GAO Report: Exploiting Weaknesses in Vehicles' E-Systems Could Endanger Occupants
An In-Depth Analysis of How Automobiles Can Be Hacked
Electronic features in automobiles make them vulnerable to cyberattacks.

It's not quite a primer on how to hack automobiles, but a new government report outlines weaknesses in vehicles' electronic systems that could be exploited to endanger occupants.

See Also: Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

The report from the U.S. Government Accountability Office also offers ways to mitigate the risks of damaging intrusions.

"We don't think that there's an imminent danger by any means, but ... cyberattacks have become more frequent," says report author David Wise, GAO physical infrastructure issues director. "To say that it hasn't happened in the past doesn't mean that it couldn't happen, because there are an awful lot of things that we didn't see happening in the past that have happened."

David Wise of the Government Accountability Office discusses the shared responsibilities for automotive cybersecurity.

Several factors make automobiles susceptible to cyberattacks. Modern passenger vehicles, for instance, contain 100 or more embedded electronic control units, or ECUs, that execute core vehicle functions, such as steering, as well as entertainment systems. Over time, ECUs have evolved from controlling a single vehicle function and operating in isolation from other components to controlling multiple vehicle functions and operating in conjunction with one another.

To facilitate communication among multiple ECUs without the need for complicated and extensive wiring systems, automakers began locating ECUs on in-vehicle communication networks, commonly referred to as buses or bus systems.

Source: National Instruments

No doubt, shifting to electronically controlled vehicle systems from mechanical ones improves reliability and performance of vehicle features, including new safety offerings. But the move also increases the potential for vehicles to be affected by breaches more commonly associated with the information technology and financial services industries. Each component in electronically controlled vehicle systems could serve as an entry point to threaten other linked components.

GAO warns that the same type of hackers who plague business and industrial IT systems could target automotive systems. "Hackers break into networks for the thrill of the challenge, bragging rights in the hacker community, and monetary gain, among other reasons," Wise says.

Millions of Lines of Code

Complex software is used to operate ECUs and myriad other electronic systems. A luxury sedan could contain more than 100 million lines of code; that's about 15 times more code than needed to operate systems in a Boeing 787 Dreamliner.

Source: Battelle

As automakers adopt more advanced vehicle technologies, researchers tell GAO, the number of lines of code needed for these electronic systems will increase. More code likely means more coding errors that could create more vulnerabilities. Citing one stakeholder, GAO says: "Testing every line of code in a vehicle would take several months, which is not feasible or practical."

Interfaces Susceptible to Exploits

GAO interviewed 32 industry insiders who concluded that hackers could exploit three types of interfaces: direct access, such as onboard diagnostics ports; short-range wireless, such as Bluetooth keyless entry; and long-range wireless, such as cellular connections.

The port supporting onboard diagnostics provides direct and largely unrestricted access to in-vehicle communications networks, which could provide an attacker with sufficient access to compromise the full range of a vehicle's systems, including safety-critical systems, such as the brakes and steering wheel. But, as Wise points out, accessing an onboard diagnostics port would generally require direct access to the vehicle, requiring the attacker to target one vehicle at a time.

Source: GAO analysis of stakeholder interviews

Many industry stakeholders told GAO that passenger safety is most threatened by remote attacks. Remote attacks could involve multiple vehicles and cause widespread impact, including passenger injuries or fatalities. Long-range wireless interfaces, such as cellular connections on the telematics unit, are especially concerning, the report notes. Through such interfaces, the cyber attacker could, theoretically, exploit vulnerabilities to access the target vehicles from anywhere in the world and take control of the vehicles' safety-critical systems.

GAO analyzed research from the University of Washington and University of California San Diego that demonstrated the ability to conduct a cyberattack through wireless channels. By exploiting vulnerabilities in the implementation of a telematics system - which connects participating vehicles via a cellular connection to a backend server maintained by the automaker - it would be possible to simultaneously compromise multiple vehicles, GAO concludes.

Remote Attack Scenarios

In this graphic, GAO presents a scenario of a potential vehicle cyberattack launched through a wireless interface, as demonstrated by researchers.

Source: GAO analysis

GAO, in the following graphic, describes a possible vehicle cyberattack launched by a long-range wireless interface.

Source: GAO analysis

"Notably, each of the above hacking demonstrations illustrate that some overarching characteristics of the CAN bus make it more likely that a vehicle cyberattack launched through any interface - including non-safety-critical systems, such as the telematics unit - could impact safety," according to the GAO report.

Mitigating Attacks

Based on its interview with industry stakeholders, GAO says automakers are mulling whether and how to implement technologies that could help identify and mitigate vehicle cybersecurity vulnerabilities. A problem automakers face is that, in many instances, information security technologies cannot be simply added on to vehicle; they must be designed into the vehicle. That, experts tell GAO, could take up to five years.

The one exception: intrusion detection and prevention systems. Several companies told GAO that they have developed aftermarket versions of their products that can be incorporated in vehicles. The diagram below depicts how firewalls and some other technologies can help mitigate vehicle cyberattacks.

Source: GAO analysis of stakeholder information

But the biggest challenge might not be technical. GAO says the most frequently cited set of challenges facing the industry in ensuring vehicle cybersecurity - mentioned by 15 of the 32 industry stakeholders - was the lack of transparency, communication and collaboration among the various players in the automotive supply chain regarding vehicles' cybersecurity

Several parts suppliers told the GAO the security requirements automakers provide them often lack sufficient context about the broader component or system. Some stakeholders pointed out that automakers are challenged by overseeing and exerting control over suppliers' software code. In some instances, they said, suppliers' software code is proprietary, so the companies don't want to share it with the automakers. As one stakeholder told GAO: "The most important and interesting commonality" was that the vulnerabilities were located precisely at the interfaces where software code written by different supply chain players has to interact."

DoT: Vehicle Cybersecurity Is Top Priority

The report, conducted for Congress, focused on the efforts of the Department of Transportation's National Highway Traffic Safety Administration to coordinate the government's response to automotive cyberthreats. Jeff Marootian, DoT assistant secretary for administration, assured GAO in a letter that enhancing vehicle cybersecurity to mitigate threats is a departmental priority.

GAO recommends, and the DoT concurs, that NHTSA should work expeditiously to finish defining, and then document, the agency's roles and responsibilities in response to a vehicle cyberattack involving safety-critical systems, including how NHTSA would coordinate with other federal agencies and stakeholders involved in the response.

Still, according to GAO, NHTSA does not anticipate making a final determination on the need for government standards until 2018, when additional cybersecurity research is expected to be completed.

Several industry efforts to address vehicle cybersecurity, including the development of an Automotive Information Sharing and Analysis Center and a voluntary design and engineering process standard for cybersecurity, are in their early stages. "As such," Wise says, "some of these government and industry efforts to address vehicle cybersecurity are unlikely to provide many benefits for vehicles already operating on the roads today or those currently in the design and production stages."

In the interim, Wise says, it will be critical for NHSTA to continue to be proactive to ensure that it is meeting the agency's goal of being ahead of vehicle cybersecurity challenges.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.