Vehicles designed in the grand era of the 1950s and ’60s leaned toward the future. Many of those cars were brilliance in motion. But unlike today’s cars, they weren’t actually smart. Modern vehicles are essentially computers on wheels. Like all computer systems, vehicles are open to exploitation by hackers or even misconfiguration by their manufacturers. As such, we cannot take an old-school mentality when building new-school systems.
Noted researchers such as Charlie Miller, Chris Valasek, Craig Smith and Josh Corman have led the way in vehicle security by publicly addressing vulnerabilities in vehicles. Research by these experts and others prove that vehicles, like any other computer system, can be exploited by hackers. Yet, while their contributions have been widely recognized and supported in the security community, they do not seem to be meaningfully addressed by the automotive industry and government regulators.
The 2015 recall of certain Fiat-Chrysler Automotive models due to a critical systems vulnerability in the Harman-Kardon infotainment system proves that there is a problem. Attackers were able to remotely access the comfort and entertainment system and use it to gain unprivileged access to the critical control functions of the vehicle. But this isn’t a Fiat-Chrysler problem alone. Security researchers were able to hack a 2014 Jeep Cherokee, leading to a 1.4 million vehicle recall. All of this proves that we know there is a problem, now we need to have the fortitude to fix it.
The National Highway and Transportation Safety Administration is about to wirelessly enable vehicles without taking steps to fully ensure that motorists are protected from cyberattack, making previously hard to access vulnerabilities exploitable over wireless systems. More than this, NHTSA will ensure that mission-critical functions supporting life and safety share the same communications links with commercial applications that support monetization. It’s time we wake up and address this.
By integrating wireless communications systems into vehicles without first addressing the current and future vulnerabilities of vehicles, and requiring that significant countermeasures and mitigations be in place, NHTSA and the automotive manufacturers are about to put lipstick on a pig and tell you it’s pretty. The sad part is that regulators know what they’re doing and no one is paying attention enough to stop them.
The protocol known as Dedicated Short-Range Communications cannot compensate for the known and unknown vulnerabilities of vehicles themselves. In fact, DSRC will make it easier for attackers to exploit those vulnerabilities. While NHTSA-proposed rules for cryptography may address certain attack methods, cryptography alone cannot possibly compensate for the host of vulnerabilities that we know about today and those we can only imagine in the future. Because of this, attackers are about to get a free ride at your expense. This is a bad deal for consumers, taxpayers, motorists and companies.
Connected vehicles enabled with DSRC are vulnerable to at least six specific categories of attacks: deception attacks; denial of service attacks; cryptographic exploitation; malware exploitation; jamming and spoofing; and V2X exploitation. To ensure that we do not inadvertently transform connected vehicles into mobile malware delivery systems and risk both our safety and privacy, it is incumbent on policymakers and automotive manufacturers to set clear rules for the deployment of connected vehicles.
NHTSA must require a transparent vehicle security framework and compliance mechanism. Consumers have the right to know if their vehicles are safe. Government has a responsibility to ensure that every make and model of connected vehicle is reasonably safe. Automotive companies have the right to innovate but must ensure security. Without all of this, security becomes a race to the bottom, where the tragedy of the commons rules the road. An industry-led framework with light oversight ensures that the rules of the road are followed but that innovation is promoted.
Cybersecurity is a first order consideration. All of the good stemming from the innovations of automotive companies can be quickly undone if people do not trust the product, if hackers easily win and if we do not address risk. Without addressing the way vehicles are secured today, we cannot safely put the brilliance of connected vehicles in motion. In order for America to realize the promise of a connected society, we must make security a priority.
Alex Kreilein is the cofounder and managing partner of SecureSet.
Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.