DHS, vendor warn on automotive cyber flaws


The Homeland Security cybersecurity response team has notified automobile makers they should take a look at new research illustrating flaws in vehicle control modules to set the systems up for denial-of-service attacks and other mischief.

In a July 28 alert, the DHS National Cybersecurity and Communications Integration Center and Industrial Control Systems Cyber Emergency Response Team said they were tracking research that showed vulnerabilities in certain models of automobiles. The targeted control area network standard is also used in some healthcare systems, they said.

The alert said researchers identified a vulnerability exploiting a weakness in the protocol that could allow an attacker to perform a denial-of-service attack.

ICS-CERT has notified some affected vendors, primarily auto manufacturers and entities within the healthcare industry, about the report to confirm the vulnerability and to identify mitigations.

NCCIC warned that CAN is widely used throughout the critical manufacturing, healthcare and public health, and transportation systems sectors.

The warning came just days before a set of McAfee researchers presented a paper on automobile system vulnerabilities at the defcon 2017 hacking conference in Las Vegas at the end of July.

A few days earlier, CERT had issued an advisory about telematics control units used in BMW, Ford and Nissan Infiniti vehicles.

That research showed vulnerabilities in a control module used by Nissan, Nissan-Infinity, BMW and Ford in on-board telematics modules that allowed remote, unauthorized access to geographic information such as location, destination and other data. The researchers said they had notified the manufacturers, who had pushed out a fix for the problem.

"The vulnerabilities McAfee discovered show just how difficult it would be to regulate cybersecurity," said McAfee Chief Scientist Raj Samani in a statement to FCW. "Fundamentally, a car is like a jigsaw puzzle with multiple components, so applying patches to cars the way we would a phone, for example, is not feasible."

"The cars we're going to be using in the future will be dependent on technology, and there will always be vulnerabilities as we increase the amount of code in cars," he said. "What needs to happen, fundamentally, is the integration of security and privacy by design, with cybersecurity built-in to all the components of a device. The responsibility is on manufacturers to integrate security."

Samani said consumers should also bear some of the responsibility by asking manufacturers about their responses to cybersecurity incidents and vulnerabilities, as well as how they test products to ensure security.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at or follow him on Twitter at @MRockwell4.


  • Congress
    U.S. Capitol (Photo by M DOGAN / Shutterstock)

    Funding bill clears Congress, heads for president's desk

    The $1.3 trillion spending package passed the House of Representatives on March 22 and the Senate in the early hours of March 23. President Trump is expected to sign the bill, securing government funding for the remainder of fiscal year 2018.

  • 2018 Fed 100

    The 2018 Federal 100

    This year's Fed 100 winners show just how much committed and talented individuals can accomplish in federal IT. Read their profiles to learn more!

  • Census
    How tech can save money for 2020 census

    Trump campaign taps census question as a fund-raising tool

    A fundraising email for the Trump-Pence reelection campaign is trying to get supporters behind a controversial change to the census -- asking respondents whether or not they are U.S. citizens.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.