The FBI and the US National Highway Traffic Safety Administration have put out a public safety announcement about the dangers of cars getting hacked.
The bureau noted that risks come with the increasing number of computers in vehicles, in the form of electronic control units (ECUs) that control a wide array of functions, from steering, braking, acceleration, on up to lights and windshield wipers.
Many of those components also have wireless capability, be it keyless entry, ignition control, tire pressure monitoring, and diagnostic, navigation, and entertainment systems.
Security researchers have been able to take over cars remotely because automakers don’t always do a good job at limiting how car systems interact with wireless communications. What’s more, even cars that aren’t internet-enabled can be taken over via third-party devices that introduce connectivity, such as through the diagnostics port.
When security hackers first started remotely screwing with cars, sending them plowing out of parking lots and into the weeds by tinkering with speedometers, killing the engine or messing with brakes, the automobile industry said “Bah!”
“You needed physical access!” they scoffed. “Might as well say that crooks can cut cables if they’re nearby. Our cars are safe from purely remote attacks.”
Because red flags are fun to wave in front of security researchers.
Forward to now, and remote exploits have included security researchers Chris Valasek and Charlie Miller demonstrating how they could take over a 2014 Jeep Cherokee remotely, controlling the car’s brakes, accelerator, steering and more by wireless connection.
Good thing autonomous, driverless cars are immune from hacking, right?
Not necessarily. A researcher has proved that self-driving cars can be forced to stop suddenly with a laser pointer.
These exploits have made the auto industry sit up and take notice. For one thing, the exploit on the Jeep last year led to more than 1 million Fiat Chrysler vehicles being recalled for patching. While, this past autumn, the US government and the state of Virginia sponsored research into cybersecurity for police cruisers.
Car makers General Motors and Tesla have launched bug bounty programs, Congress has quizzed automakers about how safe their cars are against cyber attacks, and car-hacking skills have turned into a hot commodity at outfits like Uber and Canada’s defense research arm.
Another piece of reassuring news: this past week, 20 automakers announced that automatic emergency braking would be standard in 99% of cars by 2022.
Mind you, the dangers of cyber attacks on cars has all been theoretical so far: at this point, there’ve been no real-world attacks, as far as we know.
Only security researchers have managed to send cars into the weeds.
If anybody suspects that their connected car has been tampered with remotely, the FBI asks that they get in touch.
The FBI gave this list of tips for consumers to mitigate cybersecurity risks:
- Ensure your vehicle software is up to date. Be cautious about the potential for criminals to exploit online update delivery, though: as the FBI points out, they could send socially engineered messages rigged to look like they’re update messages from automakers that actually lead to malware downloads.
- Be careful when making any modifications to vehicle software. Modifications could introduce new vulnerabilities or alter automatic software update installation.
- Maintain awareness and exercise discretion when connecting third-party devices to your vehicle. There’s been a sharp rise in third-party devices that can be plugged into the diagnostics port. We’ve already seen that insurance dongles, for one, could lead to a privacy wreck. (On the flip side of the coin, researchers have also come up with a dongle that monitors the diagnostics port and detects any hacking tools plugged in, blocks attacks and collects attack forensic data.)
- Be aware of who has physical access to your vehicle. Just like you wouldn’t (or at least shouldn’t!) leave a PC or phone lying around unlocked, be aware of who can get at your car. Nowadays, connected cars are, after all, akin to those devices.
Image of wireless key icon courtesy of Shutterstock.com
James
this past week, 20 automakers announced that automatic emergency braking would be standard in 99% of cars by 2022.
What could possibly go wrong? Well, aside from setting off the emergency brake on one car doing 70 mph on a freeway and waiting for the ten cars behind it to pile up.
Bryan
Freeways are the best; if a hack fails, another car will be right behind that one.
If you were Felicity Smoak you’d pinpoint and stop a given vehicle faster than you can say FancyGraphicsOnMyMicrosoft(TM)Tablet, or heck–just neatly stop ’em all at once.
Mahhn
A manual switch in the car to disable any wireless control would be ideal, and super cheap solution to concerns.
Jim
It’s a good idea, but that won’t always work. For instance, the pressure sensors in the wheels must be wireless, because there is no way to transmit the data physically.
For some things, though, they should be purely wired. Wireless shouldn’t even be installed unless absolutely necessary, and where necessary, they need to be walled out of the rest of the system.
Aarav
I didn’t knew this , that car which would have run by only physical access can also be controlled by hackers.
Now it seems that technology as well as hackers skills is growing rapidly.