fb-pixel Skip to main content

GAO report warns of cyberattacks on cars

WASHINGTON — For the many folks concerned about cyberthieves hacking e-mails and stealing personal information from online accounts, here comes another worry: A cyberattack on your car. While you’re driving.

That’s one of the threats outlined in a report on ‘‘Vehicle Cybersecurity’’ by the Government Accountability Office.

The computerized gadgets that make late-model cars safer and more fun to drive also provide an entry for thieves, terrorists, and thrill-seeking geeks. The GAO knows of no cyberattacks resulting in injury yet, but the report warns that remote ‘‘attacks could involve multiple vehicles and cause widespread impacts including passenger injuries or fatalities. . . . Cyberattackers could theoretically achieve massive attacks of multiple vehicles simultaneously.’’


Modern electronics provide several ways for hackers to get into your car, sometimes without even touching it. With direct access to the vehicle, they can plug into the on-board diagnostic port now in many vehicles or the compact disc player. They can gain short- and long-range remote wireless access through systems for keyless entry, Bluetooth Wi-Fi, cellular calls, and satellite radio.

Advanced electronics also allow cars to have safety features such as collision warning and automatic emergency-braking systems, which come with lots of software. Citing Transportation Department data, the GAO said ‘‘a modern luxury vehicle could contain as much as 100 million lines of software code.’’ That’s about 15 times more than a Boeing 787 Dreamliner, which carries hundreds of passengers on long-range flights.

‘‘[A]s the lines of vehicle software code increase, so does the potential for cybersecurity vulnerabilities that could be exploited through vehicle cyberattacks,’’ the report said.

These attacks apparently aren’t imminent. Experts told the GAO ‘‘such attacks remain difficult because of the time and expertise needed to carry them out.’’

In 2011, researchers from the University of Washington and University of California San Diego gained remote access to vehicles ‘‘by exploiting software vulnerabilities’’ in General Motors OnStar and Bluetooth systems, the report said, and were able ‘‘to take physical control over the vehicle, such as controlling the display on the speedometer, shutting off the engine, and controlling the brakes.’’


Last year, an experiment on a Jeep Cherokee had similar results. Soon after that, the company, Fiat Chrysler, recalled 1.4 million vehicles.

Industry and government experts are working to prevent cyberattacks before they happen. The GAO said there are technological solutions that can be built into new cars, but not installed in older ones. Incorporating those solutions, including encryption and authentication technologies, into the design and production process can take five years.

Wade Newton of the Alliance of Automobile Manufacturers said car companies launched an effort last year ‘‘to facilitate the sharing of potential cyberthreats and countermeasures,’’ among other measures. He added that the Alliance and Global Automakers, an organization of international manufacturers, ‘‘have joined together to begin development of voluntary cybersecurity best practices.’’