The FBI and the US National Highway Traffic Safety Administration have put out a public safety announcement about the dangers of cars getting hacked.
The bureau noted that risks come with the increasing number of computers in vehicles, in the form of electronic control units (ECUs) that control a wide array of functions, from steering, braking, acceleration, on up to lights and windshield wipers.
Many of those components also have wireless capability, be it keyless entry, ignition control, tire pressure monitoring, and diagnostic, navigation, and entertainment systems.
Security researchers have been able to take over cars remotely because automakers don’t always do a good job at limiting how car systems interact with wireless communications. What’s more, even cars that aren’t internet-enabled can be taken over via third-party devices that introduce connectivity, such as through the diagnostics port.
When security hackers first started remotely screwing with cars, sending them plowing out of parking lots and into the weeds by tinkering with speedometers, killing the engine or messing with brakes, the automobile industry said “Bah!”
“You needed physical access!” they scoffed. “Might as well say that crooks can cut cables if they’re nearby. Our cars are safe from purely remote attacks.”
Because red flags are fun to wave in front of security researchers.
Forward to now, and remote exploits have included security researchers Chris Valasek and Charlie Miller demonstrating how they could take over a 2014 Jeep Cherokee remotely, controlling the car’s brakes, accelerator, steering and more by wireless connection.
Good thing autonomous, driverless cars are immune from hacking, right?
Not necessarily. A researcher has proved that self-driving cars can be forced to stop suddenly with a laser pointer.
These exploits have made the auto industry sit up and take notice. For one thing, the exploit on the Jeep last year led to more than 1 million Fiat Chrysler vehicles being recalled for patching. While, this past autumn, the US government and the state of Virginia sponsored research into cybersecurity for police cruisers.
Car makers General Motors and Tesla have launched bug bounty programs, Congress has quizzed automakers about how safe their cars are against cyber attacks, and car-hacking skills have turned into a hot commodity at outfits like Uber and Canada’s defense research arm.
Another piece of reassuring news: this past week, 20 automakers announced that automatic emergency braking would be standard in 99% of cars by 2022.
Mind you, the dangers of cyber attacks on cars has all been theoretical so far: at this point, there’ve been no real-world attacks, as far as we know.
Only security researchers have managed to send cars into the weeds.
If anybody suspects that their connected car has been tampered with remotely, the FBI asks that they get in touch.
The FBI gave this list of tips for consumers to mitigate cybersecurity risks:
- Ensure your vehicle software is up to date. Be cautious about the potential for criminals to exploit online update delivery, though: as the FBI points out, they could send socially engineered messages rigged to look like they’re update messages from automakers that actually lead to malware downloads.
- Be careful when making any modifications to vehicle software. Modifications could introduce new vulnerabilities or alter automatic software update installation.
- Maintain awareness and exercise discretion when connecting third-party devices to your vehicle. There’s been a sharp rise in third-party devices that can be plugged into the diagnostics port. We’ve already seen that insurance dongles, for one, could lead to a privacy wreck. (On the flip side of the coin, researchers have also come up with a dongle that monitors the diagnostics port and detects any hacking tools plugged in, blocks attacks and collects attack forensic data.)
- Be aware of who has physical access to your vehicle. Just like you wouldn’t (or at least shouldn’t!) leave a PC or phone lying around unlocked, be aware of who can get at your car. Nowadays, connected cars are, after all, akin to those devices.