Connecting all vehicles sold in Massachusetts to one wireless system and allowing two-way access increases risk of similar threat on automobiles
BOSTON, MA – October 30, 2020 – As hospital systems across the U.S. come under assault from ransomware attacks, one of the biggest concerns of Question 1 opponents is already being realized. The FBI, Department of Homeland Security and Department of Health & Human services notified healthcare providers across the country this week that “Russian-speaking cybercriminals…launched a coordinated attack targeting U.S. hospitals…with ransomware.”
“This is exactly the kind of thing we have been warning about with regard to Question 1,” said Conor Yunits, spokesperson for the Coalition for Safe & Secure Data. “If foreign-based hackers are willing and able to hack into our most critical health and safety systems in the search for profit, what’s to stop them from doing the same to our cars and trucks once Question 1 lowers their barriers to entry?”
According to the State House News service, Massachusetts hospitals are moving to respond to the attacks at the urging of federal officials. The News Service story also quotes National Security Agency Director of Cybersecurity Anne Neuberger, who notes:
“The clock is always ticking in the field of cybersecurity. It’s a priority, no matter what business we’re in, whether we work in defense, finance, medicine, power, industry, academia or government, whether you’re working at home, schooling children online, or driving cars that are connected to the internet.”
The National Highway Traffic Safety Administration (NHTSA) already warned about this scenario in a letter to Massachusetts legislators in July, writing, “Malicious actors, some of which are sponsored by hostile foreign governments, have the motivations, resources, and tools available to compromise access to safety-critical systems. A cyberattack on one or more motor vehicles has enormous potential safety consequences—a 4,000 to 80,000 lbs. vehicle operating at highway speeds can pose an incredible amount of danger to its surroundings if manipulated.”
Other cyber security experts have warned explicitly about the potential for hackers to upload malware to vehicles if Question 1 passes.
In an article for Forbes.com, Bryan Reimer, a Research Scientist at the Massachusetts Institute of Technology Center for Transportation and Logistics, wrote:
“Were this ballot question to pass and vehicle manufacturers to comply, vehicles themselves or individual repair shops could become the target of cyber-attacks. An environment where repair shops utilize the same internet-connected tools to work on many different vehicles is the perfect arrangement to deliver and spread a ransomware virus or other malicious agent.”
“Opening OEMs’ telematics, wireless protocols and communication credentials will make it possible for malicious actors to exploit the open protocols, take over vehicles’ telematics and other units and, as outlined above, cause damage ranging from information theft to road accidents. Moreover, as the bill requires a standardized access across all vehicle makes and models, any vulnerability that is identified by a hacker in one model, inherently puts all other cars at the similar safety risk. In other words, the suggested wordings significantly multiplies the potential victims of cyberattacks.”
Question 1 requires that every make and model of vehicle in Massachusetts (beginning with Model Year 2022, which can be sold in Massachusetts beginning in January 2021) connect to a single open access data platform. It requires that this platform be accessed through a mobile app that has not been built or secured, nor does it specify who will build or secure that application. Question 1 requires direct two-way access to vehicles, opening the door for ransomware or malware to be uploaded directly to vehicle computers, and it prevents automakers from playing any role in cybersecurity.
“If Question 1 passes, what is happening to hospitals right now will inevitably happen to vehicles in the near future.” Yunits said. “This is very real. It is something we have been warning about for more than a year, and a risk that should not be taken lightly by voters.”