Trust but Verify
Ensuring vehicle cybersecurity in an evolving world.
By Hyattye O. Simmons
“Trust but verify” is a Russian proverb made famous in the United States by former President Ronald Reagan during his nuclear arms reduction negotiations with then-Soviet Union General Secretary Mikhail Gorbachev.1 It is a warning to proceed with caution even when a situation may appear trustworthy. Given the documented cybersecurity issues with motor vehicles,2 operation and maintenance of these machines should be dealt with carefully.
The Need to be Prepared
The modern motor vehicle is a paragon of technological sophistication. The typical car contains more than 70 computers called electronic control units,3 which control many functions, such as steering, braking, acceleration, lights, and windshield wipers.4sup> A luxury vehicle may contain as many as 100 million lines of software code.5
By comparison, a Boeing 787 Dreamliner aircraft has about 6.5 million lines of software code and an F-22 U.S. Air Force jet fighter has about 1.7 million. The amount of software code in future motor vehicles is expected to increase with the introduction of more advanced features that have the potential to reduce crashes and save lives.6 Notwithstanding these safety benefits, the U.S. Government Accountability Office recently found in a March 2016 report that “the reliance on software to control safety-critical and other functions also leaves vehicles more vulnerable to cyberattacks.”7 The GAO continued:
Since 2011, researchers have been demonstrating the feasibility of hacking into vehicles’ electronic systems, including hacking from a remote location. For example, in July 2015, two researchers exploited software vulnerabilities in [a motor vehicle] to remotely take control of safety-critical systems—including manipulating the brakes—without prior physical access to the target vehicle. Shortly after this hacking demonstration was reported, the manufacturer … announced the recall of about 1.4 million impacted vehicles, including other models known to have similar vulnerabilities.8
While no vehicle cyberattack has been verified or reported outside the research environment, the GAO noted a remaining need to be prepared for such attacks, particularly because cyber vulnerabilities may give hackers monetary gain or “bragging rights” in their community, allow foreign nations to gather information for espionage, or may enable terrorists.9
Minimizing Risks Through Ownership and Maintenance
Within the U.S. Department of Transportation, the National Highway Traffic Safety Administration is the primary agency responsible for vehicle safety.10 NHTSA’s mission is to “save lives, prevent injuries, and reduce economic costs due to road traffic crashes.”11 While NHTSA has made strides to address vehicle cybersecurity in recent years, the administration estimates it will be 2018, when additional research is expected, before it decides on the need for government standards.12 Until then, the FBI and NHTSA have issued a joint public service announcement, or PSA, to help the public minimize vehicle cybersecurity risks.13 The PSA’s most important parts are summarized as follows.14
Keep software up to date. Owners should use the Vehicle Identification Number to check for software-related recalls at least twice annually at vinrcl.safercar.gov. Additional helpful websites are: www-odi.nhtsa.dot.gov/owners/SearchSafetyIssues and www.recalls.gov/nhtsa.html.15
Verify legitimacy of software updates. Because some vehicle manufacturers provide software updates online, criminals could exploit this by sending emails disguised as legitimate software update notifications, tricking owners into clicking malicious links or opening malware attachments.16 One verification method would be contacting an authorized dealer to schedule an appointment.
Be cautious when connecting third-party devices. The PSA advises owners to be wary of syncing other electronics with their vehicles through standardized diagnostics ports or Bluetooth. A potential hacker could exploit vulnerabilities in the devices in order to access the vehicle.17 Check the security and privacy policies of the third-party device manufacturers and service providers, and do not connect any unknown or untrusted devices.18
Be aware of who has physical access to your vehicle. Report any strange behavior to your vehicle’s manufacturer, dealer, or mechanic.19 Owners may also report suspected hacking attempts and other safety concerns to NHTSA by filing a vehicle safety complaint at www-odi.nhtsa.dot.gov/VehicleComplaint/. Additionally, the PSA specifically requests that owners also contact their local FBI field offices (www.fbi.gov/contact-us/field) and the FBI’s Internet Crime Complaint Center at www.ic3.gov. In 2013, 94 percent of highway crashes were attributed to human error.20 The goal of both the motor vehicle manufacturing industry and the federal government is to ensure that no incident is caused by a cyberattack.21 TBJ
HYATTYE O. SIMMONS, a 1984 graduate of the University of Texas School of Law, is a former general counsel to the Texas Secretary of State’s Office and Dallas Area Rapid Transit. He serves as general counsel to and a board member of the InfraGard North Texas Members Alliance, a national alliance of 84 nonprofit organizations and the FBI that shares information dedicated to the continuous improvement in the protection, security, resilience, and preparedness of America’s critical infrastructures. Find more information about InfraGard at www.infragard.org.