Connected vehicles hold tremendous potential for improving road safety while simultaneously reducing energy consumption and road congestion through data sharing over the next 10–15 years. Unfortunately, that potential may never be realized unless there is a dramatic change in the way automakers and suppliers handle cyber security. The recently revealed security vulnerability in Fiat Chrysler Automobiles (FCA) products with Uconnect telematics systems demonstrates some of the flaws in the current landscape.
Wired.com recently ran a report highlighting a flaw in the Uconnect telematics system discovered by noted white hat security researchers Charlie Miller and Chris Valasek. The pair worked out how to remotely connect to the vehicle’s cellular modem, a key component of Uconnect and all other telematics systems. From there, they were able to access a port in the vehicle network that provided entry to vehicle control systems, including steering, braking, and other functions. The article noted that Miller and Valasek notified FCA and waited until a fix was developed before publicly disclosing the flaw. So far, so good.
A Bloomberg Business story claims that FCA was actually notified of the vulnerability in January 2014 and waited a full 18 months before notifying the National Highway Traffic Safety Administration (NHTSA). However, according to FCA spokesman Eric Mayne, “Prior to last month (July 2015), the precise means of manipulating a vehicle as demonstrated for the media was not known.” FCA notified NHTSA, developed a fix to eliminate the attack vector, and subsequently issued a recall for 1.4 million vehicles. Despite determining that the vulnerability didn’t constitute a safety defect according to current regulations, FCA and NHTSA decided to conduct the campaign as a recall to protect customers.
Potential Safety Defects
Cyber-attacks on banks and retailers can be annoying and costly, but they are unlikely to ever prove life-threatening. All potential automotive cyber security flaws should be treated as potential safety defects until proven otherwise. While the information FCA officials had in early 2014 may not have represented a safety defect, we need a standard mechanism for reporting and tracking potential vulnerabilities.
Navigant Research’s Connected Vehicles report projects that by 2025, 80%–90% of new vehicles in North America and Western Europe will be equipped with vehicle-to-external (V2X) communications technology, a market with potential revenue of more than $36 billion globally. Automakers and suppliers have claimed that they take security seriously, but with few exceptions—notably Tesla Motors, and to a lesser degree, Hyundai— they seem more intent on keeping information out of the public eye.
General Motors (GM) in particular joined John Deere earlier this year to push for protection of their vehicle software under the Digital Millennium Copyright Act (DMCA). GM has not publicly stated why they were seeking protection, but since the DMCA prohibits tampering with or removing protections from software, it seems likely that at least part of the rationale is to keep researchers from legally investigating these systems.
Design for Security
If automakers and suppliers continue to suppress information about automotive cyber security, they will erode both consumer and regulatory confidence in connected vehicles. Software security is an extremely difficult problem, especially for networked systems. It’s best to design the architecture for security from the start rather than patching it in later. However, product development lead times last 3–5 years or more, and legacy systems need to be protected as well.
Automakers need to acknowledge that cyber security vulnerabilities are indeed genuine safety issues now, and they need to be open to both responsible disclosure and prompt updates. If not, we are at serious risk of missing out on the benefits of both connectivity and increasing levels of vehicle automation.
Tags: Advanced Transportation Technologies, Connected Vehicles, Cyber Security, Natural Gas Vehicles and Infrastructure, Transportation Efficiencies
| No Comments »