The FBI and the National Highway Traffic Safety Administration (NHTSA) on March 20 jointly warned that modern cars are vulnerable to hacking. That may come as no surprise to those who have followed news reports about the possibility, but it does show the level of attention coming to the issue from the nation’s top federal law-enforcement agency. The FBI’s “public service announcement,” issued last month, cites recent demonstrations in which researchers showed how they could remotely take over various functions in cars. “The FBI and NHTSA are warning the general public and manufacturers – of vehicles, vehicle components, and aftermarket devices – to maintain awareness of potential issues and cybersecurity threats related to connected vehicle technologies in modern vehicles,” the agencies said in the bulletin. The warning reads:
The analysis demonstrated the researchers could gain significant control over vehicle functions remotely by exploiting wireless communications vulnerabilities. Consumers and manufacturers are aware of the possible threats and how an attacker may seek to remotely exploit vulnerabilities in the future.
The memo points to the many different computers contained in today’s cars that control functions ranging from braking to infotainment. Each has its own set of vulnerabilities, especially when it comes to the possibility that the systems can be manipulated by plugging a laptop or other device into the car’s diagnostic port. Over the summer, a team from Wired magazine managed to hack into a Jeep Cherokee SUV and drive it into a ditch. Attacks can also occur via Wi-Fi, usually at no more than 100 feet from the vehicle.
In July 2015, Fiat Chrysler Automobiles NV recalled 1.4 million U.S. vehicles to install software after a magazine report raised concerns about hacking, the first action of its kind for the auto industry. Also last year, General Motors Co issued a security update for a smartphone app that could have allowed a hacker to take control of some functions of a plug-in hybrid electric Chevrolet Volt, like starting the engine and unlocking the doors. In January 2015, BMW AG said it had fixed a security flaw that could have allowed up to 2.2 million vehicles to have doors remotely opened by hackers. The FBI bulletin said:
While not all hacking incidents may result in a risk to safety – such as an attacker taking control of a vehicle – it is important that consumers take appropriate steps to minimize risk.
A car traveling at low speeds can be vulnerable to having its engine shut down, brakes disabled or interference with the steering. For cars traveling at higher speeds, hackers can fool with the door locks, turn signal, tachometer, radio, air conditioning or GPS. The warning cites a July recall of 1.4 million Ram, Jeep, Chrysler and Dodge vehicles that were susceptible to hacking through their infotainment systems, following the demonstration by Wired. Owners were being sent a thumb drive with a software patch to remedy the problem.
NHTSA Administrator Rosekind told reporters in July 2015 that automakers must move fast to address hacking issues. The Fiat Chrysler recall came after the Wired magazine report about hackers remotely taking control of some functions of a 2014 Jeep Cherokee, including steering, transmission and brakes. NHTSA has said there has never been a real-world example of a hacker taking control of a vehicle. Two major U.S. auto trade associations – the Alliance of Automobile Manufacturers and Association of Global Automakers – late last year opened an Information Sharing and Analysis Center.
The groups share cyber-threat information and potential vulnerabilities in vehicles. The FBI bulletin warned that criminals could exploit online vehicle software updates by sending fake “e-mail messages to vehicle owners who are looking to obtain legitimate software updates. Instead, the recipients could be tricked into clicking links to malicious websites or opening attachments containing malicious software.”
Sources: USA Today and Claims Journal