Car companies are finally realizing that what they sell is just a big computer you sit in, and that just like any other computer, they are at risk of being hacked.
In a public service announcement issued together with the Department of Transportation and the National Highway Traffic and Safety Administration, the FBI released a warning to drivers about the threat of over-the-internet attacks on cars and trucks.
The announcement doesn’t reveal any sign that the agencies have learned about incidents of car hacking that weren’t already public, but it cites all of last year’s car hacking research to offer a list of tips about how to keep vehicles secure from hackers and recommendations about what to do if you believe your car has been hacked—including a request to notify the FBI.
Modern motor vehicles often include new connected vehicle technologies that aim to provide benefits such as added safety features, improved fuel economy, and greater overall convenience. Aftermarket devices are also providing consumers with new features to monitor the status of their vehicles; however, with this increased connectivity, it is important that consumers and manufacturers maintain awareness of potential cyber security threats.
The FBI and DOT’s advice includes keeping automotive software up to date and staying aware of any possible recalls that require manual security patches to your car’s code, as well as avoiding any unauthorized changes to a vehicle’s software and being careful about plugging insecure gadgets into the car’s network. Most of those tips stem directly from last year’s research demonstrations.
Over the summer, a team from Wired magazine managed to hack into a Jeep Cherokee SUV and drive it into a ditch. Following that display, Chrysler issued a 1.4 million vehicle recall and mailed USB drives with software updates to affected drivers. The following month saw researchers from the University of California at San Diego showing that a common insurance dongle plugged into a Corvette’s dashboard could be hacked to turn on the car’s windshield wipers or disable its brakes.
The announcement also notes that drivers should be careful about offering physical access of their vehicles to strangers. In much the same way as you would not leave your personal computer or smartphone unlocked, in a non-secure location, or with someone you don’t trust, it is important that you maintain awareness of those who may have access to your vehicle.
Not much in the FBI’s warning is new information, but the notice from the FBI could make the threat of car hacking real for anyone who hasn’t considered the growing risk of digital attacks on connected vehicles. It seems a bit delayed, but it’s good advice and coming from the mouth of the FBI means more will take it seriously.
The most significant part of the announcement may be its request that anyone who suspects their car has been hacked to get in contact with the FBI, along with the car manufacturer and the National Highway and Traffic Safety Administration.
The memo points to the many different computers contained in today’s cars that control functions ranging from braking to infotainment. Each has their own set of vulnerabilities, especially when it comes to the possibility that the systems can be manipulated by plugging a laptop or other device into the car’s diagnostic port.
Attacks can also occur via Wi-Fi, usually at no more than 100 feet from the vehicle. A car traveling at low speeds can be vulnerable to having its engine shut down, brakes disabled or interference with the steering. For cars traveling at higher speeds, hackers can fool with the door locks, turn signal, tachometer, radio, air conditioning or GPS.
Automotive industry trade groups are working on a blueprint of best practices for safely introducing new technologies. The Auto-Information Sharing and Analysis Center, created by the Alliance of Automobile Manufacturers and the Global Automakers Association, provides a way to share information on cyberthreats and incorporate cybercrime prevention technologies.
There is a video floating around, of a Houston car theft, where a home-security camera captures a man walking to the Jeep and opening the hood. The officer said he suspects the man is cutting the alarm. About 10 minutes later, after a car door is jimmied open, another man enters the Jeep, works on the laptop and then backs the car out of the driveway.
It is not common, but the fact that it can be done is alarming.
TESLA HACK by Keen Security Lab
Another example is the demonstration provided by KEEN Security Lab. In their video, they show how they can hack into the Tesla vehicles. Actions such as moving the driver’s seat, opening the trunk and unlocking the doors are simple enough actions for these guys to perform after a couple of minutes with their laptop, while the driver searches for the closest charging station.
They even show how they can engage the brakes from a computer that is not even on the same local network as the test vehicle. Controlling a car from anywhere, using the internet? WOW.