In May Transportation Secretary Anthony Foxx announced that the federal government would be accelerating its efforts to mandate that new automobiles come equipped to communicate with one another. A regulation to that effect is to be submitted by the National Highway Traffic Safety Administration to the Office of Management & Budget for final review by the end of the year.
But last month Wired published an account in which “white hat” hackers described how they remotely used a Jeep Cherokee’s wireless UCONNECT system to take control of the vehicle from the driver and force it to stop. Shortly thereafter, Jeep producer Fiat Chrysler Automotive recalled 1.4 million vehicles to install some kind of a fix. The Wired hackers said they selected the Jeep because it is “among the most hackable” of current car models, but they also listed other highly vulnerable ones from Toyota, General Motors, Ford, BMW, and Range Rover.
It is the “connectedness” of the vehicles—at least in its current unencrypted format—that is the vulnerability. A minority of the many articles on connected vehicles that I’ve read over the last few years stressed the importance of cybersecurity, but far too many advocates either ignored or downplayed this concern. But that appears to be changing, at least within the auto industry. Several weeks before the Wired piece appeared, automakers representing 98% of US vehicle sales created a consortium called the Auto Information Sharing Advisory Center (ISAC) to share information on cybersecurity measures without violating antitrust laws.
Back in February, Sen. Ed Markey (D, MA) released a report called “Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk.” His staff surveyed 20 major auto equipment suppliers about connected vehicle technologies, and their findings from the 16 that responded included the news that nearly 100% of current new vehicles offer wireless entry points that are at risk of hacking and that current security measures are “inconsistent and haphazard across all manufacturers.”
NHTSA’s current fast-track toward a connected-vehicle mandate seems ill-advised, not merely because of the lack of serious cybersecurity planning. In late April the Transportation Research Board published its review of the U.S. DOT’s draft plan to mandate the use of dedicated short-range communications (DSRC) technology in the 5.9 gigaherz (GHz) band for connected vehicles. The report noted a number of concerns, including (1) that devices and technologies that would use DSRC for vehicle to vehicle (V2V) communications are at too early a stage of development to render an assessment, (2) that proposed spectrum sharing in the 5.9 GHz band, and local area wi-fi technology, both pose interference risks with V2V communications, and (3) that a long list of unknowns must be resolved before proceeding with implementation, including “security and privacy considerations.”
Taken together, it looks to me as if NHTSA’s fast track needs a significant slow-down.
(The article first ran in the August issue of Surface Transportation Innovations)