Dealing with vehicle cybersecurity issues
It’s not just the mobile data terminals inside police vehicles that are vulnerable to cyberattacks
This feature is part of our PoliceOne Digital Edition, a supplement to PoliceOne.com that brings a sharpened focus to some of the most challenging topics facing police chiefs and police officers everywhere. To read all of the articles included in this issue, click here.
By James Careless
It’s not just the mobile data terminals inside police vehicles that are vulnerable to cyberattacks. The vehicles themselves are also at risk.
The reason: “Your car has an internal communications system – a databus – and it connects 50-60 microcontrollers to the physical capability of the car, including the brakes and the engine,” said Dr. Barry Horowitz, Munster Professor in the University of Virginia’s Engineering department. (During Desert Storm, Horowitz spearheaded a system for tracking and destroying SCUD missile carriers. He received the U.S. Air Force’s highest award for a civilian as a result.) “That databus is a place where somebody can interfere with a vehicle’s computer-based elements – and the physical access to the bus is right under your dashboard.”
The databus is located under the dashboard so that mechanics can quickly plug diagnostic tools into your car and find out what’s wrong by accessing the vehicle’s data readings. Unfortunately, it is also a perfect place to plug in a hacking device that can disable some or all of the vehicle’s systems, or to connect the internal communications system to an outside computer via the vehicle’s Bluetooth connection.
“You know those fleet management tools that are designed to save money by monitoring a vehicle’s acceleration, speeds and braking patterns?” Horowitz asked. “They do this by plugging into the vehicle’s databus and transmitting data; just like a hacker could using the same kind of equipment.”
Because third-party fleet management tools are network connected, they could be hacked by hostile players. This makes these services into potential cyberthreats, according to Horowitz. But even without such devices, departments should address the vulnerability of vehicle databuses.
The obvious solution is for officers to check their databuses regularly, and certainly this can help departments deal with this cyberthreat. But the fact remains that modern police vehicles are sold with open doorways to their internal communications systems.
“This is a point that departments should bring up with the companies they buy police vehicles from,” Horowitz said. “You also need to ask them what else they are doing to protect vehicles from cyberattacks; whether these attacks are as simple as remotely preventing a police car from starting or disabling its functions when it is being driven.”
Horowitz previously participated in a public-private working group with the University of Virginia and the Virginia State Police (VSP) that was set up by former Virginia Gov. Terry McAuliffe to address the threat of automotive hacking. As part of that project, VSP cruisers were hacked by researchers who inserted rogue devices in two police vehicles to reprogram some of the car’s electronic operations.
About the author
James Careless writes on law enforcement and technology topics.