TRAVERSE CITY, MI – U.S. lawmakers are considering legislation around automotive cybersecurity, and Congress has tasked its General Accounting Office with drawing up a report on the threat level, including the most vulnerable parts of a car and whether multiple vehicles could be hacked simultaneously.
Nancy Lueke, assistant director-Physical Infrastructure Team at the GAO, says the office found automakers are concerned about direct-access soft spots inside the car, such as CD players and USB ports. But they are focused more on buttoning down remote access points, including telematics systems and cellular networks that could provide a path for hackers to access multiple vehicles at the same time.
Insurance dongles, which drivers can plug into their onboard-diagnostics (OBD) ports to potentially save a few bucks on their premiums, are another big concern, because the little plugs turn a direct access path in the car into a remote one that hackers can latch onto more easily.
“It transmits information out of the car,” Lueke says.
The report also found automakers are adopting proven defense strategies of industries that have been fighting hackers longer, and they consider over-the-air updates an effective means of patching security holes in cars.
“But few OEMs have OTA capability,” Lueke says.
The good news is vehicles are complex machines and difficult to hack, which likely gives automakers time to build their defenses, she says.
So far, the most publicized hacks of FCA US and General Motors were pulled off by researchers. But those prompted FCA to recall 1.4 million Jeep models and forced GM to scramble its cybersecurity team to patch its RemoteLink smartphone application.
So do not get caught standing still, says C.J. Dietzman, security principal at HPE, because regulators will come knocking if a hack occurs.
“Saying, ‘We missed it’ – that’s a difficult position to be in.”