DHS, vendor warn on automotive cyber flaws


The Homeland Security cybersecurity response team has notified automobile makers they should take a look at new research illustrating flaws in vehicle control modules to set the systems up for denial-of-service attacks and other mischief.

In a July 28 alert, the DHS National Cybersecurity and Communications Integration Center and Industrial Control Systems Cyber Emergency Response Team said they were tracking research that showed vulnerabilities in certain models of automobiles. The targeted control area network standard is also used in some healthcare systems, they said.

The alert said researchers identified a vulnerability exploiting a weakness in the protocol that could allow an attacker to perform a denial-of-service attack.

ICS-CERT has notified some affected vendors, primarily auto manufacturers and entities within the healthcare industry, about the report to confirm the vulnerability and to identify mitigations.

NCCIC warned that CAN is widely used throughout the critical manufacturing, healthcare and public health, and transportation systems sectors.

The warning came just days before a set of McAfee researchers presented a paper on automobile system vulnerabilities at the defcon 2017 hacking conference in Las Vegas at the end of July.

A few days earlier, CERT had issued an advisory about telematics control units used in BMW, Ford and Nissan Infiniti vehicles.

That research showed vulnerabilities in a control module used by Nissan, Nissan-Infinity, BMW and Ford in on-board telematics modules that allowed remote, unauthorized access to geographic information such as location, destination and other data. The researchers said they had notified the manufacturers, who had pushed out a fix for the problem.

"The vulnerabilities McAfee discovered show just how difficult it would be to regulate cybersecurity," said McAfee Chief Scientist Raj Samani in a statement to FCW. "Fundamentally, a car is like a jigsaw puzzle with multiple components, so applying patches to cars the way we would a phone, for example, is not feasible."

"The cars we're going to be using in the future will be dependent on technology, and there will always be vulnerabilities as we increase the amount of code in cars," he said. "What needs to happen, fundamentally, is the integration of security and privacy by design, with cybersecurity built-in to all the components of a device. The responsibility is on manufacturers to integrate security."

Samani said consumers should also bear some of the responsibility by asking manufacturers about their responses to cybersecurity incidents and vulnerabilities, as well as how they test products to ensure security.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at [email protected] or follow him on Twitter at @MRockwell4.


  • Management
    shutterstock image By enzozo; photo ID: 319763930

    Where does the TMF Board go from here?

    With a $1 billion cash infusion, relaxed repayment guidelines and a surge in proposals from federal agencies, questions have been raised about whether the board overseeing the Technology Modernization Fund has been scaled to cope with its newfound popularity.

  • IT Modernization
    shutterstock image By enzozo; photo ID: 319763930

    OMB provides key guidance for TMF proposals amid surge in submissions

    Deputy Federal CIO Maria Roat details what makes for a winning Technology Modernization Fund proposal as agencies continue to submit major IT projects for potential funding.

Stay Connected