Malware Links on U.S. Car-Defect Website Risked Infecting Users

A shop foreman performs a service recall on a General Motors Co. (GM) 2005 Saturn Ion in New Hudson, Michigan, on April 25, 2014.

Photographer: Jeff Kowalsky/Bloomberg

Security of a U.S. government website is being questioned after it was revealed a database motorists have been urged to use to report car defects contained documents with links to a site with malware capable of infecting their computers.

Hundreds of files on the database run by the National Highway Traffic Safety Administration had to be removed this week. There’s no evidence the agency’s data was compromised or any public users were affected, said a spokesman, Gordon Trowbridge.

Still, the incident is raising questions about cybersecurity at an agency that relies heavily on car dealers, drivers and other members of the public to submit complaints about vehicle safety through an electronic database. Some of the affected documents sat with malicious hyperlinks undetected for 10 years or more.

“It shows the lack of a security measure that could have and should have detected this,” said Clarence Ditlow, executive director of the Center for Auto Safety, a Washington-based watchdog group. “These links shouldn’t have been there at all.”

The revelation comes at a time when NHTSA has been encouraging people to file complaints to the database after it was found that major vehicle defects involving General Motors Co. and Takata Corp. flew under the radar for years.

The infected files were discovered by, an independent website that tracks safety defects. The company was downloading NHTSA data to repost to its own site when it found 766 instances of a malicious link directing people to an external server associated with browser malware, said Mike Wickenden, editor of

Contractor’s Computer

NHTSA investigated the infected complaints and traced them back to a computer used by a contractor to enter consumer reports into the database, Trowbridge said. The agency identified the malware on the contractor’s computer in early 2005, and no complaints with the infected links have been added since. Agency data experts removed complaints it found that had been infected but missed 171 of them, he said. That’s out of just under 1 million documents on the site, he said.

The affected files will be cleaned up and put back on the website.

“We were not hacked,” Trowbridge said. “There was no compromise of any sensitive data on any NHTSA website.”

All of the hyperlinks embedded in the infected NHTSA complaints go to a now-defunct adware website run by Serverlogic. According to Symantec Corp., the security software company, the links redirected search queries to a predetermined website that could have downloaded other adware programs.

“It’s just not that complicated to check,” Wickenden said. “If they’re allowing links to come in, even if they’re not getting hacked, it’s still inappropriate.”

Back Door

The concern for a government website like NHTSA’s is whether the infected complaints could have been used as a back door to access the agency’s databases, according to James Lewis, director of the strategic technologies program at the Center for Strategic and International Studies in Washington.

The program that infected the NHTSA consumer complaints was designed to hide itself, and consumers often have similar programs running in the background of their own computers without knowing it, Lewis said. In investigating the incident, NHTSA will need to find out whether the links were sitting there dormant or whether they were used to access the agency’s computers, he said.

“You need to know what’s running on your system,” Lewis said. “They might say their systems worked in preventing any bad effect, but this is a sign they might want to take a step back and ask how come we didn’t see this?”