The Washington PostDemocracy Dies in Darkness

Next cyberattack front could be your car

Placeholder while article actions load

For the many folks concerned about cyberthieves hacking emails and stealing personal information from online accounts, here comes another worry:

A cyberattack on your car – while you’re driving.

That’s one of the threats outlined in a report on “Vehicle Cybersecurity” by the Government Accountability Office (GAO).

The computerized gadgets that make late-model cars safer and more fun to drive also provide an entry for thieves, terrorists and thrill-seeking geeks. GAO knows of no cyberattacks resulting in injury yet, but the report warns that remote “attacks could involve multiple vehicles and cause widespread impacts including passenger injuries or fatalities…cyber attackers could theoretically achieve massive attacks of multiple vehicles simultaneously.”

Modern electronics provide several ways for hackers to get into your ride, sometimes without even touching it. With direct access to the vehicle, they can plug into the on-board diagnostic port now in many vehicles or the compact-disc player. They can gain short- and long-range remote wireless access through systems for keyless entry, Bluetooth, WiFi, cellular calls and satellite radio.

Advanced electronics also allow cars to have safety features such as collision warning and automatic emergency-braking systems. These goodies come with lots of software. Citing Transportation Department data, the GAO said “a modern luxury vehicle could contain as much as 100 million lines of software code.” That’s about 15 times more than a Boeing 787 Dreamliner, which carries hundreds of passengers on long-range flights.

“[A]s the lines of vehicle software code increase, so does the potential for cybersecurity vulnerabilities that could be exploited through vehicle cyberattacks,” the report said.

These attacks apparently aren’t imminent. Experts told GAO “such attacks remain difficult because of the time and expertise needed to carry them out.” But who would have expected hackers to steal personal information belonging to about 21.5 million federal employees and others as the Office of Personnel Management revealed last year?

While not meant to be alarmist, this also is not science fiction.

In 2011, researchers from the University of Washington and University of California at San Diego gained remote access to vehicles “by exploiting software vulnerabilities” in General Motors’ OnStar and Bluetooth systems, the report said, and were able “to take physical control over the vehicle, such as controlling the display on the speedometer, shutting off the engine, and controlling the brakes.”

Last year, an experiment on a Jeep Cherokee had similar results. Soon after that, Fiat Chrysler recalled 1.4 million vehicles.

Industry and government experts are working to prevent cyberattacks before they happen. But that work takes time and hackers somewhere are probably now plotting to infiltrate vehicle electronic systems. GAO said there are technological solutions that can be built into new cars, but not installed in older ones. Incorporating those solutions, including encryption and authentication technologies, into the design and production process can take five years.

Wade Newton, with the Alliance of Automobile Manufacturers, said car companies last year launched an effort “to facilitate the sharing of potential cyber threats and countermeasures – all of it in real time,” among other measures. He added that the alliance and Global Automakers, an organization of international manufacturers, “have joined together to begin development of voluntary cybersecurity best practices.”

Meanwhile the Transportation Department’s National Highway Traffic Safety Administration “has taken steps to address vehicle cybersecurity issues but has not determined the role it would have in responding to a real-world vehicle cyberattack,” according to GAO.

A NHTSA document published in July says the agency established a new division in 2012 “to focus on vehicle electronics, including cybersecurity.” This division conducts “research on the safety, security, and reliability of complex, interconnected, electronic vehicle systems.” NHTSA says it also has a “layered approach to cybersecurity for automobiles,” meaning that all points of electronic entry, including WiFi, Bluetooth, the diagnostic port, “could be potentially vulnerable.

“This way, NHTSA focuses on solutions to harden the vehicle’s electrical architecture against potential attacks and to ensure vehicle systems take appropriate safe steps even when an attack may be successful.”

NHTSA takes cybersecurity very seriously, said spokesman Bryan Thomas, adding: “We understand that if consumers think they are one hack away from a crash, we’re not going to see the public acceptance we need to achieve the safety gains we’re after.”

Read more:

[Fiat recalls 1.4 million cars vulnerable to being hacked]

[Hacks on the highway]

[Months after government hack, 21.5 million people are finally being told, and given help]