Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

FBI Reminds That Cars are Increasingly Vulnerable to Remote Exploits

FBI Reminds That Connected Cars Are Increasingly Vulnerable to Remote Exploits

FBI Reminds That Connected Cars Are Increasingly Vulnerable to Remote Exploits

The Federal Bureau of Investigation (FBI) on Thursday released a warning on remotely exploitable cyber vulnerabilities that affect modern motor vehicles.

The warning didn’t call out any new specific vulnerabilities, but cautioned about the connected technologies in modern vehicles that have been proven to be vulnerable to exploits.

While some previously discovered security flaws that affected specific manufacturers have been addressed, the FBI says that both consumers and manufacturers should maintain awareness of potential cyber security threats.

Hacking Cars

These threats aren’t new, and nothing in the FBI’s announcement is really groundbreaking, especially to those close to the security community. Security researchers and groups have been beating the drum over the topic for years.

In August 2014, a group of security researchers called upon automobile manufacturers to build cyber-security safeguards inside the software systems powering various features in modern cars. In an open letter to “Automotive CEOs”, the researchers called on automobile industry executives to implement five security programs to improve car safety and safeguard them from cyberattacks.

Last February, a report prepared by the staff of Senator Ed Markey revealed that virtually all connected cars on the road are vulnerable to cyber-attacks. Also in February, the European Union agency for network and information security ENISA announced the launch of a new expert group focusing on the security of smart cars and intelligent road systems.

In July, researchers Charlie Miller and Chris Valasek demonstrated they can remotely hack and control a 2014 Jeep Cherokee, which prompted the automaker to release a software update to close the security hole. Fiat Chrysler Automobiles (FCA) revealed that multiple models were vulnerable to attacks, and even recalled 1.4 million vehicles for security reasons.

Advertisement. Scroll to continue reading.

Related: Researchers Hack Car via Insurance Dongle

As the FBI explains, vehicles include electronic control units (ECUs) designed to control multiple functions, including steering, braking, and acceleration, and many components also have wireless capability. Although automakers try to limit the interaction between vehicle systems, wireless communications, and diagnostic ports, these represent attack surfaces for motivated criminals.

Vulnerabilities may exist not only within a vehicle’s wireless communication functions, but also within a mobile device connected to the car, and within third-party devices connected through a diagnostic port. Attackers can attempt to remotely exploit these vulnerabilities and access either the vehicle’s controller network or the data stored on the vehicle, the FBI says.

The warning also explains that, although attackers might not always be able to access all parts of the system, the risks increase if they gain the ability to manipulate critical vehicle control systems. In a real-world demonstration in August 2015, researchers were able to take over a Corvette’s systems and apply and disable brakes while the car was in motion.

According to the FBI, users can stay protected by ensuring that their vehicle always has the latest software updates installed, and to be careful when making modifications to the vehicle’s software. However, the Bureau also warns of actors taking advantage of regular update systems and social engineering to trick user into installing malicious software.

Users are also advised to take caution when connecting third-party devices to their vehicle, such as insurance dongles and other vehicle monitoring tools. Additionally, consumers are advised to be aware of people who have physical access to the vehicle, just as they would be with a computer, tablet, or smartphone.

If one is suspect of a vehicle hacking, they are advised to check for outstanding vehicle recalls or vehicle software updates and contact the vehicle manufacturer or authorized dealer. Furthermore, they are advised to contact the National Highway Traffic Safety Administration and the FBI to report the incident.

Related: API Flaw Exposes Nissan LEAF Cars to Remote Attacks

Related: Tesla Increases Bug Bounty Payout After Experts Hack Model S

Related: Researchers Hack Car via Insurance Dongle< /p>

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.