What the government recommends for car cybersecurity

This article originally appeared on The ride.

When most people think of the automotive industry, their minds probably don’t immediately jump to cybersecurity. After all, a two-tonne steel box on wheels doesn’t exactly scream ‘computer’. But as vehicles become more connected to centralized systems, each other and the outside world, it is becoming clear that cybersecurity is more relevant to today’s cars than ever before.

On Wednesday, the National Highway Traffic Safety Administration released a set of best practices for automakers to follow when building new vehicles and the software stacks that underpin them. The document, first published in the Federal Register last year, is an update to the agency’s 2016 guidelines and focuses heavily on interconnected vehicles and their respective safety systems.

NHTSA-Cybersecurity-Best-Practices-2022

Perhaps one of the most critical areas the NHTSA focuses on involves vehicle sensors. The agency lists sensor tampering as an emerging concern related to vehicle cybersecurity, noting that the potential to manipulate sensor data could pose a risk to safety-critical systems. The areas the NHTSA is calling on automakers to guard against include Lidar and radar jamming, GPS spoofing, road sign modification, camera glare and the excitement of false positives from machine learning.

Vehicles with over-the-air (OTA) update capabilities are also on the NHTSA’s radar. Specifically, the agency says that the automaker must maintain not only the integrity of critical vehicle updates, but also the underlying servers that host the OTA updates, as well as the transmission mechanism between the vehicle and the servers, as well as the update process that takes place on the vehicle. Furthermore, the NHTSA urges automakers to consider common cybersecurity concerns, such as insider threats, man-in-the-middle attacks, protocol vulnerabilities and compromised servers.

Both vehicles that can be updated remotely and those that cannot are encouraged to harden access to vehicle firmware to help prevent cybersecurity vulnerabilities. Many automakers today do this by encrypting the ECU firmware, although this can sometimes be remedied with a bank flash. The NHTSA is asking automakers to “deploy state-of-the-art techniques” to prevent this. What that could mean for the aftermarket scene is unknown though, but it’s unlikely to be good news for those looking to tune their cars.

Finally, not everything the NHTSA has included in the document is sophisticated. In fact, the vast majority of recommendations revolve around the NIST security framework or were simply taken from the 2016 guide and still have value today.

A key component highlighted from 2016 best practices concerns aftermarket devices. NHTSA reminds aftermarket manufacturers that while their devices may appear to have no impact on life-security systems, they must nevertheless be designed with such considerations in mind and also undergo the same kind of security screening as vehicles themselves. Seemingly harmless devices, such as insurance dongles and telematics collection devices, can be used as a proxy for other attacks. Therefore, NHTSA recommends transmitting critical safety signals separately from the general CAN bus traffic. For example, isolating messages sent to traction control actuators that control physical braking function to prevent recurrence and spoofing attacks.

Vehicle serviceability is another item brought up from the latest iteration of best practices. The NHTSA says cybersecurity protections should not unnecessarily restrict access to third-party repair services, an argument used by industry associations during a recent right to repair battle in Massachusetts. According to a court file, the trade group argued that automakers would need to create “non-functioning cybersecurity design elements” installed on vehicles to meet the right to repair requirements passed by voters. Had the industry followed the NHTSA guidelines of 2016 (and now 2022), this might not have been a big deal.

Despite all these recommendations, it is ultimately up to the car manufacturer to follow them. The NHTSA simply provides these voluntary guidelines for automakers to improve their own cybersecurity maturity based on their level of accepted risk. However, this kind of guidance is needed in a fast-growing industry like connected cars. Today’s attack surfaces may represent a fraction of what the industry sees tomorrow, and without a regulatory body pointing in the right direction, it could be far more damaging than just unlocking doors.