Safety Regulators Summoned Over 'On-Board Diagnostic' (OBD-II) Ports

NHTSA asked to provide answers about the cybersecurity of vehicle 'on-board diagnostic' ports.

Posted in News

— The National Highway Traffic Safety Administration (NHTSA) has been asked to put together an industry-wide effort to combat the risks associated with vehicle "on-board diagnostic" (OBD-II) ports.

The ports are known for vulnerabilities that cause all kinds of weird things to occur to vehicles, including engaging the windshield wipers, horns and door locks. More serious effects have been seen when security researchers accessed the OBD-II ports and controlled vehicle acceleration, steering and braking.

The request to NHTSA was made by Energy and Commerce Committee Chairman Fred Upton, Communications and Technology Subcommittee Chairman Greg Walden, Oversight and Investigations Subcommittee Chairman Tim Murphy, and Commerce, Manufacturing, and Trade Subcommittee Chairman Michael C. Burgess.

OBD-II ports have been around for more than 20 years ago, but they were mandated at a time when the Internet was in its infancy. The original OBD-II port mandate came from the Environmental Protection Agency in 1994 so vehicles could be tested for compliance with the Clean Air Act.

Thoughts of vehicle-to-vehicle communications at that time were just that: thoughts. But now it's all reality and those vehicle ports can do much more than allow emissions testing.

A big difference between then and now is how vehicles are built and function on the roads. Back in 1994, a driver steered or stopped a vehicle physically, but now electronic signals control those functions with signals sent through the vehicle's internal network.

For example, turning the steering wheel sends an electronic message for the wheels to turn, and hitting the brake pedal sends a message for the brake pads to engage.

Committee leaders made the request to NHTSA based on many things that have occurred in the auto industry, but members specifically mentioned the fallout that was seen when researchers twice took control of a Jeep Cherokee.

Chris Valasek and Charlie Miller demonstrated a series of attacks that caused the Jeep to leave the control of the driver and sent the SUV into a ditch. Miller and Valasek were originally able to override built-in safeguards inside the network of the Jeep, something that caused Chrysler to recall 1.4 million vehicles.

Upton, Walden, Murphy and Burgess told NHTSA they understand there are risks and disadvantages that may arise from tackling the cybersecurity risks of the ports.

However, committee leaders say the ports have grown way beyond their original purposes and now create a growing risk to the safety and security of the public.