The FBI has issued a warning to the public to secure their vehicles and devices they plug into the vehicles. According to the FBI and the U.S National Highway Traffic Safety Administration (NHTSA), there is an increase in vulnerabilities to hacking that cars now face. They issued the warning in a bulletin last Thursday.
The announcement mentioned that “The FBI and NHTSA are warning the general public and manufacturers – of vehicles, vehicle components, and aftermarket devices – to maintain awareness of potential issues and cyber security threats related to connected vehicle technologies in modern cars .”
The joint statement lists wireless components of modern day cars as access points for attackers. In July 2015, a magazine report raised concerns about hacking in the automobile industry which prompted car manufacturer, Fiat Chrysler Automobiles NV to recall 1.4 million vehicles so that they could install software to counter hacking.
The FBI research showed the cars wireless components, could be used to transmit controller area network messages to the electronic controller units (ECU). This led Chrysler Motors to issue USB drive update with a software fix and also recall 1.4 million vehicles. General Motors Co, released a security update for a smartphone application which could have given a hacker access to some functions of a plug-in hybrid electric Chevrolet Volt. The hacker would be able to start the engine and unlocking doors amongst other things.
Mark Rosekind, the NHTSA Administrator told reporters back in July 2015 that it was vital for automakers to move fast in addressing hacking issues because it was quickly growing as a problem. The bulletin on Thursday mentioned, “While not all hacking incidents may result in a risk to safety – such as an attacker taking control of a vehicle – it is important that consumers take appropriate steps to minimize risk,” it goes on to say.
Most experts, however, are also worried about the method that issues are being fixed. Sending of updates through USB’s can be exploited by hackers who can hijack the USB and put malicious codes in it. Even if the USB gets to the intended person untouched, consumers still need to verify that the USB is authentic.
The bulletin went further to warn that criminals could use online vehicle software updates to send fake “e-mail messages to vehicle owners looking to obtain legitimate software updates”. The links will be malicious and will, therefore, lead to malicious websites or software which would then compromise the car. This means vehicle owners have to be vigilant in how they treat their cars now.
Another form of attack would be third party devices which log into the obd2 diagnostics port, such as insurance companies dongles used to reduce premiums. Researchers, however, note that attacks on dongles had been local, they did show that it was possible in real-time.
Security experts suggest that owners guard their cars the same way they would guard their smartphones.