Thanks to the professional, virtuous work of security researchers Chris Valasek and Charlie Miller and some fantastic reporting on this research by Andy Greenberg of Wired Magazine, we have long known that theoretical hacks against cars are no longer theoretical. They are real. Many connected cars can be hacked and they can be hacked from long distance. And the threats include threats to safety.
The publicity brought to these issues was incredibly important and helpful. Zero action would have occurred without it.
Now, almost a year after the research was initially published, the FBI, Department of Transportation and National Highway Traffic Safety Administration have issued a joint alert. This alert provides more background, discusses some of what the government does, and provides some tips to the driving public.
The full public service announcement is here: Motor Vehicles Increasingly Vulnerable To Remote Exploits
Here is an excerpt:
How can consumers help minimize vehicle cybersecurity risks?
1. Ensure your vehicle software is up to date
If a manufacturer issues a notification that a software update is available, it is important that the consumer take appropriate steps to verify the authenticity of the notification and take action to ensure that the vehicle system is up to date.
As a note of caution, if manufacturers regularly make software updates for vehicles available online, it is possible that criminals may exploit this delivery method. A criminal could send socially engineered e-mail messages to vehicle owners who are looking to obtain legitimate software updates. Instead, the recipients could be tricked into clicking links to malicious Web sites or opening attachments containing malicious software (malware). The malware could be designed to install on the owner’s computer, or be contained in the vehicle software update file, so as to be introduced into the owner’s vehicle when the owner attempts to apply the update via USB. Additionally, an attacker could attempt to mail vehicle owners USB drives containing a malicious version of a vehicle’s software. To mitigate potential risks, vehicle owners should always:
- Verify any recall notices received by following the steps for determining whether a vehicle has been recalled for a vehicle cyber security issue, as outlined above.
- Check on the vehicle manufacturer’s Web site to identify whether any software updates have been issued by the manufacturer.
- Avoid downloading software from third-party Web sites or file-sharing platforms.
- Where necessary, always use a trusted USB or SD card storage device when downloading and installing software to a vehicle.
- Check with the vehicle dealer or manufacturer about performing vehicle software updates.
If uncomfortable with downloading recall software or using recall software mailed to you, call your dealer and make an appointment to have the work done by a trusted source.
2. Be careful when making any modifications to vehicle software
Making unauthorized modifications to vehicle software may not only impact the normal operation of your vehicle, but it may introduce new vulnerabilities that could be exploited by an attacker. Such modifications may also impact the way in which authorized software updates can be installed on the vehicle.
3. Maintain awareness and exercise discretion when connecting third-party devices to your vehicle
All modern vehicles feature a standardized diagnostics port, OBD-II, which provides some level of connectivity to the in-vehicle communication networks. This port is typically accessed by vehicle maintenance technicians, using publicly available diagnostic tools, to assess the status of various vehicle systems, as well as to test emissions performance. More recently, there has been a significant increase in the availability of third-party devices that can be plugged directly into the diagnostic port. These devices, which may be designed independent of the vehicle manufacturer, include insurance dongles and other telematics and vehicle monitoring tools. The security of these devices is important as it can provide an attacker with a means of accessing vehicle systems and driver data remotely.
While in the past accessing automotive systems through this OBD-II port would typically require an attacker to be physically present in the vehicle, it may be possible for an attacker to indirectly connect to the vehicle by
4. Be aware of who has physical access to your vehicle
In much the same way as you would not leave your personal computer or smartphone unlocked, in an unsecure location, or with someone you don’t trust, it is important that you maintain awareness of those who may have access to your vehicle.
To track the threat to cars as well as your home and business computers, sign up for OODAloop.com
Additional Reading:
The Air Traffic Control System: We all assumed it was vulnerable, but now we know
Pulitzer Prize-Winning Fred Kaplan Explores The Secret History of Cyber War
What You Need To Know About The Administration’s Cybersecurity National Action Plan
Like Kip in Napoleon Dynamite, We love Technology
