Drivers should be cautious of potential car hacks, the FBI has warned today, pointing out that increasingly connected vehicles open the door to futuristic automotive exploits. The PSA, issued by the Federal Bureau of Investigation along with the National Highway Traffic Safety Administration (NHTSA) and the Department of Transportation (DoT), recognizes that onboard data connections – whether installed by automakers themselves, or via a third-party accessory by the cars’ owners – can be useful, but cautions that we’re unlikely to have heard the last of high-profile hacking incidents.
For instance, Chrysler saw itself the subject of unwanted headlines last year, after security researchers demonstrated a way to remotely access the onboard systems of select Jeep models.
In doing so, the hackers were able to access not only systems like the radio and the HVAC, but even deactivate essential drivetrain components such as the transmission. Chrysler issued a patch for vulnerable versions of its infotainment platform, Uconnect, but the FBI is concerned that drivers of other cars may unknowingly be the next potential victims.
“While the identified vulnerabilities have been addressed, it is important that consumers and manufacturers are aware of the possible threats and how an attacker may seek to remotely exploit vulnerabilities in the future,” the agency writes. “Third party aftermarket devices with Internet or cellular access plugged into diagnostics ports could also introduce wireless vulnerabilities.”
In the case of the Jeep hack, it was Chrysler’s own software which allowed for the exploit to be carried out. However, with the rise in third-party accessories such as Automatic, Vinli, and others – which generally connect to the car’s OBD-II port, a socket under the dashboard that’s traditionally used by mechanics with special, automaker-approved diagnostic and repair tools – it’s possible that new loopholes could be introduced that manufacturers never envisaged.
The FBI warning makes reference to the Chrysler recall, pointing out that the cellular connectivity was patched by blocking the rogue port used by the hackers to inveigle their way into the car’s systems. A USB drive containing new software was mailed to owners of the vehicle, too, though they also had the option of dealers installing the upgrade.
Making sure your car is running the latest version of whatever infotainment and other software has been released is of increasing important, the FBI says, and drivers should avoid making any unofficial modifications to such software in the process.
Still, that opens up another potential security gap, with the possibility of phishing messages being sent by would-be exploiters, pretending to be official automaker communications, and directing drivers to download a compromised version of the car software.
As for third-party dongles, manufacturers are increasingly treating security as just as important as other features offered. Samsung’s recently announced Connect Auto platform, for instance, uses the same KNOX hardware-level encryption as the company’s smartphones, and its Tizen OS will refuse to run modified software that isn’t certified by Samsung itself.
Meanwhile the automakers themselves are putting together a centralized hub for information sharing about potential hacks, the Information Sharing and Analysis Center (ISAC), in the hope of spotting possible exploits sooner rather than later.
The NHTSA too is looking at how digital security expectations of cars may need to be better considered in safety regulations.
Overall, though, the guidance is to be careful what you plug into your car, be cautious about who you give access to, and to be mindful about manufacturer updates. While new software for your dashboard may not be as exciting as extra horsepower, it could be far more important if it keeps you from getting hacked on the freeway.