Security Experts:

FBI Reminds That Cars are Increasingly Vulnerable to Remote Exploits

FBI Reminds That Connected Cars Are Increasingly Vulnerable to Remote Exploits

The Federal Bureau of Investigation (FBI) on Thursday released a warning on remotely exploitable cyber vulnerabilities that affect modern motor vehicles.

The warning didn't call out any new specific vulnerabilities, but cautioned about the connected technologies in modern vehicles that have been proven to be vulnerable to exploits.

While some previously discovered security flaws that affected specific manufacturers have been addressed, the FBI says that both consumers and manufacturers should maintain awareness of potential cyber security threats.

Hacking Cars

These threats aren’t new, and nothing in the FBI’s announcement is really groundbreaking, especially to those close to the security community. Security researchers and groups have been beating the drum over the topic for years.

In August 2014, a group of security researchers called upon automobile manufacturers to build cyber-security safeguards inside the software systems powering various features in modern cars. In an open letter to “Automotive CEOs”, the researchers called on automobile industry executives to implement five security programs to improve car safety and safeguard them from cyberattacks.

Last February, a report prepared by the staff of Senator Ed Markey revealed that virtually all connected cars on the road are vulnerable to cyber-attacks. Also in February, the European Union agency for network and information security ENISA announced the launch of a new expert group focusing on the security of smart cars and intelligent road systems.

In July, researchers Charlie Miller and Chris Valasek demonstrated they can remotely hack and control a 2014 Jeep Cherokee, which prompted the automaker to release a software update to close the security hole. Fiat Chrysler Automobiles (FCA) revealed that multiple models were vulnerable to attacks, and even recalled 1.4 million vehicles for security reasons.

Related: Researchers Hack Car via Insurance Dongle

As the FBI explains, vehicles include electronic control units (ECUs) designed to control multiple functions, including steering, braking, and acceleration, and many components also have wireless capability. Although automakers try to limit the interaction between vehicle systems, wireless communications, and diagnostic ports, these represent attack surfaces for motivated criminals.

Vulnerabilities may exist not only within a vehicle’s wireless communication functions, but also within a mobile device connected to the car, and within third-party devices connected through a diagnostic port. Attackers can attempt to remotely exploit these vulnerabilities and access either the vehicle’s controller network or the data stored on the vehicle, the FBI says.

The warning also explains that, although attackers might not always be able to access all parts of the system, the risks increase if they gain the ability to manipulate critical vehicle control systems. In a real-world demonstration in August 2015, researchers were able to take over a Corvette’s systems and apply and disable brakes while the car was in motion.

According to the FBI, users can stay protected by ensuring that their vehicle always has the latest software updates installed, and to be careful when making modifications to the vehicle’s software. However, the Bureau also warns of actors taking advantage of regular update systems and social engineering to trick user into installing malicious software.

Users are also advised to take caution when connecting third-party devices to their vehicle, such as insurance dongles and other vehicle monitoring tools. Additionally, consumers are advised to be aware of people who have physical access to the vehicle, just as they would be with a computer, tablet, or smartphone.

If one is suspect of a vehicle hacking, they are advised to check for outstanding vehicle recalls or vehicle software updates and contact the vehicle manufacturer or authorized dealer. Furthermore, they are advised to contact the National Highway Traffic Safety Administration and the FBI to report the incident.

Related: API Flaw Exposes Nissan LEAF Cars to Remote Attacks

Related: Tesla Increases Bug Bounty Payout After Experts Hack Model S

Related: Researchers Hack Car via Insurance Dongle

view counter
For more than 10 years, Mike Lennon has been closely monitoring and analyzing trends in the enterprise IT security space and the threat landscape. In his role at SecurityWeek he oversees the editorial direction of the publication and manages several leading security conferences.