After Jeep Hack, Guidelines On Cybersecurity Released

Published November 7, 2016 by Elizabeth Jeneault

The U.S. Department of Transportation's National Highway Traffic Safety Administration has released a proposed guidance for improving motor vehicle cybersecurity. It’s aimed at helping automakers protect their vehicles from cyber-attacks. The federal guidance comes in the wake of a cybersecurity-related recall in July 2015 involving nearly 1.5 million Dodge, Chrysler and Jeep vehicles. It was the result of a Jeep hack. “Cybersecurity is a safety issue, and a top priority at the Department,” said U.S. Transportation Secretary Anthony Foxx in NHTSA’s press release on the proposed guidance.

Details

The proposed guidance suggests automakers follow a layered approach to vehicle cybersecurity. The NHTSA says the approach should:
  • “Be built upon risk-based prioritization identification and protection of safety-critical vehicle control systems and personally identifiable information;
  • Provide for timely detection and rapid response to potential vehicle cybersecurity incidents in the field;
  • Design-in methods and measures to facilitate rapid recovery from incidents when they occur; and
  • Institutionalize methods for accelerated adoptions of lessons learned across the industry through effective information sharing, such as thorough participation in the Auto ISAC.”
The NHTSA also recommends companies demonstrate their commitment to making vehicle cybersecurity a priority by doing a number of other things. The guidance states companies should allocate dedicated resources toward researching, investigating and testing cybersecurity measures and vulnerabilities. The NHTSA also suggests that companies facilitate direct communication channels related to cybersecurity. In addition, it’s recommended that an independent voice within the vehicle safety design process is enabled for issues related to the subject. “In the constantly changing environment of technology and cybersecurity, no single or static approach is sufficient,” said NHTSA Administrator Dr. Mark Rosekind. “Everyone involved must keep moving, adapting, and improving to stay ahead of the bad guys.” While the NHTSA has been researching cybersecurity issues for years, the incident involving a 2014 Jeep Cherokee in July 2015 certainly fueled the agency’s desire to release the proposed guidance.

2015 Jeep Hack 

The government’s first cybersecurity-related recall came after a reporter for Wired published an article in July 2015 about how he voluntarily let two hacking experts tap into a 2014 Jeep Cherokee he was driving. The experts, Charlie Miller and Chris Valasek, used the reporter to test out a technique they’d been researching. In a home located 10 miles away from where the reporter was driving, the experts used software to send commands to the Jeep. They were able to remotely manipulate the air-conditioning, radio, windshield wipers and even cut the transmission. “Immediately my accelerator stopped working,” reporter Andy Greenberg wrote in the article. “As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl.” It ended up creating a real traffic headache. “Cars lined up behind my bumper before passing me, honking,” said Greenberg. “I could see an 18-wheeler approaching in my rearview mirror. I hoped its driver saw me, too, and could tell I was paralyzed on the highway.” The reporter wrote that the most disturbing maneuver came later on when the hackers cut the Jeep’s brakes. The SUV uncontrollably slid into a ditch as he frantically pumped the pedal. Miller and Valasek later said they were able to remotely hack the multimedia system of the Jeep through Wi-Fi connection.

Chrysler Recall

In the report’s wake, Chrysler issued a recall involving Dodge, Chrysler and Jeep vehicles. The company sent USB drives with a software update to all customers affected. The customers were told to install the update through the port on their vehicle’s dashboard. Chrysler also took steps to block attacks with network-level security measures. While Chrysler said, at the time, it was only aware of the one hacking incident, it led many to question the safety of the company’s vehicles.

2016 Jeep Hack

What didn’t help Chrysler’s case is that the hackers returned this past summer with new tricks to show off. Miller and Valasek found a way to turn the Jeep Cherokee’s steering wheel and cause it to accelerate. This year’s hack, however, wasn’t executed remotely. It required a laptop directly plugged into the Jeep’s network under the vehicle’s dashboard. After plugging in, the pair was able to get the vehicle’s electronics system to listen to commands they were sending. Chrysler’s parent company, Fiat Chrysler Automobiles, responded to the latest hack by noting that it wasn’t performed remotely. “While we admire their creativity, it appears that the researchers have not identified any new remote way to compromise a 2014 Jeep Cherokee or other FCA US vehicles,” said the company in a statement. The company also said the Jeep the hackers used appeared to have been altered back to an older level of software. While the duo confirmed they installed an older infotainment system, they argued the change didn’t make a difference in their latest hack as the work didn’t involve that system at all.

FCA “Bug Bounty” Program

While Fiat Chrysler is quick to defend the safety of its vehicles, it welcomes tips on security weaknesses. Before Miller and Valasek released information on their latest hack in August, FCA announced in July a new “bug bounty” program. FCA runs it through a firm called Bugcrowd. The program offers hackers money for information about flaws in its vehicles. “We will investigate legitimate reports and make every effort to correct any valid vulnerability as quickly as possible,” writes FCA on the site. FCA offers between $150 and $1,500 rewards for the information. It shows the seventh-largest automaker in the world is taking the rising threat of car hacking seriously.

Future 

While companies like FCA are clearly taking steps to make cybersecurity a priority, many remain less than confident that automakers are doing enough. The NHTSA hopes the new guidelines it has released encourages more car manufacturers to step up and protect their customers. The NHTSA says the guidelines are based on public feedback it gathered as well as the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity. The public now has a chance to read over and weigh in on the proposed guidance online. The NHTSA will accept comments on the guidance through late November.


Useful SUV Links