The FBI this week warned carmakers and owners that they need to pay much closer attention to automotive cybersecurity.
The National Highway Transportation Safety joined with the FBI in warning consumer that the increasing number of computers in the form of electronic control units (ECUs) that control numerous vehicle functions from steering, braking, and acceleration, to the lights and windshield wipers make them vulnerable to potential cybersecurity problems.
+More on Network World: World’s coolest concept cars+
“A wide range of vehicle components also have wireless capability: from keyless entry, ignition control, and tire pressure monitoring, to diagnostic, navigation [GPS], [wireless hot spots, Bluetooth] and entertainment systems. While manufacturers attempt to limit the interaction between vehicle systems, wireless communications, and diagnostic ports, these new connections to the vehicle architecture provide portals through which adversaries may be able to remotely attack the vehicle controls and systems. Third-party devices connected to the vehicle, for example through the diagnostics port, could also introduce vulnerabilities by providing connectivity where it did not exist previously,” the FBI stated.
The FBI noted that a few vulnerabilities have been publicized in recent months and addressed, but “it is important that consumers and manufacturers are aware of the possible threats and how an attacker may seek to remotely exploit vulnerabilities in the future. Third party aftermarket devices with Internet or cellular access plugged into diagnostics ports could also introduce wireless vulnerabilities,” the FBI stated.
Automobile hacking has definitely made its way onto the cybersecurity screen of many experts and some politicians. A report overseen by US Senator Edward Markey (D-Mass.) last year said there is a “clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle or against those who may wish to collect and use personal driver information.”
+More on Network World: What advanced tech will dominate your car by 2025? IBM knows+
That report referenced a segment on CBS News' "60 Minutes" that detailed how easily cars can be hacked and how many automakers offer technologies that collect and wirelessly transmit driving history data to data centers, including third-party data centers, and most do not have ways to secure such data.
The “Tracking and Hacking” report also noted that in January 2015 BMW had to fix a security flaw that could have allowed up to 2.2 million vehicles with the automaker’s ConnectedDrive to have their doors remotely opened by hackers.
“Drivers have come to rely on these new technologies, but unfortunately the automakers haven’t done their part to protect us from cyber-attacks or privacy invasions. Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected,” said Senator Markey, a member of the Commerce, Science and Transportation Committee in a statement. Markey’s goal is to set data, security and privacy standards for cars and car owners through the National Highway Traffic Safety Administration and Federal Trade Commission and others.
Markey’s study detailed a number of disconcerting trends including:
- Nearly 100% of vehicles on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.
- Most automobile manufacturers were unaware of or unable to report on past hacking incidents.
- Security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across the different manufacturers.
- Only two automobile manufacturers were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real-time, and most said they rely on technologies that cannot be used for this purpose at all.
- Automobile manufacturers collect large amounts of data on driving history and vehicle performance.
- A majority of automakers offer technologies that collect and wirelessly transmit driving history information to data centers, including third-party data centers, and most did not describe effective means to secure the information.
The FBI meanwhile listed a number of things consumers can do to help minimize cybersecurity risks, including:
- If you have a newer car make sure vehicle software is up to date. If a manufacturer issues a notification that a software update is available, it is important that the consumer take appropriate steps to verify the authenticity of the notification and take action to ensure that the vehicle system is up to date. As a note of caution, if manufacturers regularly make software updates for vehicles available online, it is possible that criminals may exploit this delivery method. Avoid downloading software from third-party Web sites or file-sharing platforms.
- Be careful when making any modifications to vehicle software. Making unauthorized modifications to vehicle software may not only impact the normal operation of your vehicle, but it may introduce new vulnerabilities that could be exploited by an attacker. Such modifications may also impact the way in which authorized software updates can be installed on the vehicle.
- Maintain awareness and exercise discretion when connecting third-party devices to your vehicle. All modern vehicles feature a standardized diagnostics port, OBD-II, which provides some level of connectivity to the in-vehicle communication networks. This port is typically accessed by vehicle maintenance technicians, using publicly available diagnostic tools, to assess the status of various vehicle systems, as well as to test emissions performance. More recently, there has been a significant increase in the availability of third-party devices that can be plugged directly into the diagnostic port.
- Be aware of who has physical access to your vehicle. In much the same way as you would not leave your personal computer or smartphone unlocked, in an unsecure location, or with someone you don’t trust, it is important that you maintain awareness of those who may have access to your vehicle.
- Contact the National Highway Traffic Safety Administration and FBI. In addition to contacting the manufacturer or authorized dealer, please report suspected hacking attempts and perceived anomalous vehicle behavior that could result in safety concerns to NHTSA and/or the Internet Crime Complaint Center (IC3).
Check out these other hot stories: