There are a lot of folks out there concerned about vehicle cyber security!
Several public interest groups petitioned the Federal Communications Commission (FCC) to take action over the implementation of Dedicated Short-Range Communication (DSRC) technology that the auto industry plans to implement in connected cars in upcoming months. It seems there is widespread concern regarding vehicle cyber security.
Six consumer groups Thursday filed comments informing the FCC about the dangers of DSRC and nearly 20 consumer groups filed a letter to the FCC to show their general support for the need for a non-commercial condition, and adequate privacy and cybersecurity protections concerning the technology.
The groups argue that the technology will introduce more attack vectors as well as additional vulnerabilities to connected vehicles which already may not be secure for another three years if the technology is used for reasons outside of ensuring safety.
Concerns regarding vehicle cyber security relate to hacking and viruses.
Viruses on computers and other devices spread primarily because those devices talk to one another on networks. Cars are insecure already, regardless of the cybersecurity protections integrated into NHTSA’s small portion of the DSRC band. Even if the communications between DSRC units are encrypted, the devices those DSRC units are connecting are not secure. The forthcoming mandate for DSRC device deployment neatly solves for hackers the last major obstacle to large-scale auto hacking, by providing a mandatory, trusted connection between all cars.
It is a fundamental principle of cybersecurity that the more devices and networks you connect to a platform, the more vulnerabilities and attack vectors you introduce into even the most secure of systems. While DSRC creates an additional attack vector, the problem is exponentially exacerbated by commercialization of the service. Connection to the public internet to facilitate services such as mobile payments, advertising, and infotainment content delivery, create a plethora of attack vectors and additional vulnerabilities, any of which could be exploited to breach the car, and then utilize the DSRC unit to spread to every DSRC-equipped car it comes in contact with.
Cars today have up to 100 ECUs and more than 100 million lines of code — a massive attack surface. Further complicating matters, auto manufacturers source ECUs from many different suppliers, meaning that no one player is in control of, or even familiar with, all of a vehicle’s source code.
The threat of automotive cyberattacks will only loom larger as society transitions to autonomous vehicles. But even before autonomous vehicles become widespread, car hacking is already a very real danger: In 2014, more than half of the vehicles sold in the United States were connected, meaning that they are vulnerable to cyberattacks.
“Drivers shouldn’t have to choose between being connected and being protected.” — Senator Edward J. Markey