lolloj - Fotolia
The FBI has warned that vehicles are increasingly vulnerable to unauthorised remote access by hackers and is calling for victims to report incidents.
The notice, issued jointly with the US National Highway Traffic Safety Administration (NHTSA), said consumers and manufacturers need to be aware of the risks of car hacking.
Although the wireless communication vulnerabilities highlighted by security researchers Charlie Miller and Chris Valasek in July 2015 have now been fixed, the notice said it is important that consumers and manufacturers are aware of the possible threats and how attackers may seek to remotely exploit vulnerabilities in the future.
Wireless vulnerabilities could be introduced by third-party aftermarket devices with internet or cellular access plugged into diagnostics ports, the FBI warned.
Fiat Chrysler was forced to recall 1.4 million vehicles in the US for a computer system security update after Miller and Valasek demonstrated they could take control of a Jeep Cherokee by hacking into its computer systems from 10 miles away.
The FBI said new connected vehicle technologies provide benefits such as improved fuel economy, and third-party devices give consumers new features to monitor the status of their vehicles, but this increased connectivity is opening up opportunities for attackers.
Although not all hacking incidents may result in a risk to safety, such as an attacker taking control of a vehicle, the FBI and NHTSA said consumers and manufacturers should take steps to minimise the cyber security threats related to connected vehicle technologies.
Vehicles contain an increasing number of computers in the form of electronic control units, which control vehicle functions such as steering, braking, acceleration, lights and windscreen wipers. A wide range of vehicle components also have wireless capability, including keyless entry, ignition control, tyre pressure monitoring, and diagnostic, navigation and entertainment systems.
“While manufacturers attempt to limit the interaction between vehicle systems, wireless communications and diagnostic ports, these new connections to the vehicle architecture provide portals through which adversaries may be able to remotely attack the vehicle controls and systems,” the notice said.
For example, third-party devices connected to a vehicle through the diagnostics port could introduce vulnerabilities by providing connectivity where it did not exist before, the notice said. Vulnerabilities may also exist within a vehicle’s wireless communication functions, within a mobile device – such as a cellular phone or tablet connected to the vehicle via USB, Bluetooth or Wi-Fi, it warned.
In such cases, an attacker may be able to remotely exploit these vulnerabilities and gain access to the vehicle’s controller network or to data stored on the vehicle, the notice said.
“Although vulnerabilities may not always result in an attacker being able to access all parts of the system, the safety risk to consumers could increase significantly if the access involves the ability to manipulate critical vehicle control systems,” it said.
Read more about car hacking
- The hack of a Jeep raises the question whether users or car manufacturers should be responsible for protecting against cyber attackers.
- There has been a lot of controversy around the DMCA, especially because of the Chrysler car hack. Here are the issues with it and how it affects security researchers.
- Security researcher shows how hackers can hijack a vehicle’s heating and air-conditioning systems, identify owners and spy on journeys.
The FBI and NHTSA urged consumers to maintain awareness of the latest recalls and updates affecting their vehicles and ensure their vehicle software is up to date.
But they also warned that if manufacturers regularly make software updates for vehicles available online, it is possible criminals may exploit this delivery method.
A criminal could send socially engineered email messages to vehicle owners who are looking to obtain legitimate software updates to trick them into clicking links to malicious websites, opening attachments containing malware, or installing malware from USB drives.
To mitigate potential risks, the notice said vehicle owners should always verify any recall notices received, check on the vehicle manufacturer’s website whether any software updates have been issued, avoid downloading software from third-party websites, and use only trusted USB drives.
The FBI and NHTSA said that as well as the steps taken by individual auto makers to address vehicle safety and security, the auto industry has established an Information Sharing and Analysis Center (ISAC) to provide a trusted mechanism for exchanging cyber security information.
The Auto ISAC will act as a central hub for gathering intelligence to help the industry analyse, share and track cyber threats.
Vehicle manufacturers are also collaborating on best practices for enhancing the cyber resilience of motor vehicle electronics and associated in-vehicle networks.