Modern motor vehicles often include new connected vehicle technologies that aim to provide benefits such as added safety features, improved fuel economy, and greater overall convenience.
That is all well and good, but with this increased connectivity, it is important consumers and manufacturers maintain awareness of potential cyber security threats.
Vehicle hacking occurs when someone with a computer seeks to gain unauthorized access to vehicle systems for the purposes of retrieving driver data or manipulating vehicle functionality. While not all hacking incidents may result in a risk to safety – such as an attacker taking control of a vehicle – it is important that consumers take appropriate steps to minimize risk.
That is why the FBI and National Highway Traffic Safety Administration (NHTSA) are warning users and manufacturers to maintain awareness of potential issues and cyber security threats related to connected vehicle technologies in modern vehicles.
Computer Use in Autos
Motor vehicles contain an increasing number of computers in the form of electronic control units (ECUs). These ECUs control vehicle functions from steering, braking, and acceleration, to the lights and windshield wipers. A range of vehicle components also have wireless capability: From keyless entry, ignition control, and tire pressure monitoring, to diagnostic, navigation, and entertainment systems.
While manufacturers attempt to limit the interaction between vehicle systems, wireless communications, and diagnostic ports, these new connections to the vehicle architecture provide portals through which attackers may be able to remotely hack the vehicle controls and systems. Third-party devices connected to the vehicle, for example through the diagnostics port, could also introduce vulnerabilities by providing connectivity where it did not exist previously.
Vulnerabilities may exist within a vehicle’s wireless communication functions, within a mobile device – such as a cell phone or tablet connected to the vehicle via USB, Bluetooth, or Wi-Fi – or within a third-party device connected through a vehicle diagnostic port. In these cases, it may be possible for an attacker to remotely exploit these vulnerabilities and gain access to the vehicle’s controller network or to data stored on the vehicle. Although vulnerabilities may not always result in an attacker being able to access all parts of the system, the safety risk to consumers could increase significantly if the access involves the ability to manipulate critical vehicle control systems.
Over the past year, researchers identified a number of vulnerabilities in the radio module of a MY2014 passenger vehicle and reported its detailed findings in a whitepaper published in August 2015. The vehicle studied was unaltered and purchased directly from a dealer.
In this study, conducted over a period of several months, researchers developed exploits targeting the active cellular wireless and optionally user-enabled Wi-Fi hotspot communication functions. Attacks on the vehicle that were conducted over Wi-Fi ended up limited to a distance of less than about 100 feet from the vehicle. However, an attacker making a cellular connection to the vehicle’s cellular carrier – from anywhere on the carrier’s nationwide network – could communicate with and perform exploits on the vehicle via an Internet Protocol (IP) address.
In that case, the radio module contained multiple wireless communication and entertainment functions and connected to two controller area network (CAN) buses in the vehicle. Following are some of the vehicle function manipulations that researchers were able to accomplish.
In a target vehicle, at low speeds (5-10 mph):
• Engine shutdown
• Disable brakes
In a target vehicle, at any speed:
• Door locks
• Turn signal
• Radio, HVAC, GPS
In this case, NHTSA believed the vulnerability represented an unreasonable risk to safety based on a number of critical factors: Once exploited, the vulnerability allowed access to and manipulation of critical vehicle control systems; the population of vehicles potentially at risk was huge; and the likelihood of exploitation was great given that the researchers were scheduled to publish the bulk of their work product. As a result, the manufacturer recalled almost 1.5 million vehicles. Before the researchers’ report released, the cellular carrier for the affected vehicles blocked access to one specific port (TCP 6667) for the private IP addresses used to communicate with vehicles. However, the recall was still necessary to mitigate other, short-range vulnerabilities.
The manufacturer and cell service provider provided a remedy to mitigate the specific vulnerabilities. The manufacturer said it would notify owners of vehicles affected by the recall and would mail them a USB drive containing the update and additional security features for the vehicle software.
Alternatively, the manufacturer said owners could visit a Web site to check if their vehicle was in the recall and to download the software update to a USB drive. Owners who did not wish to install the update via USB to their own vehicles were given the option to have their vehicle dealer install the update.
Minimize Security Risk
One way to lower the security risk is to:
1. Ensure your vehicle software is up to date
If a manufacturer issues a notification that a software update is available, it is important the consumer take appropriate steps to verify the authenticity of the notification and take action to ensure that the vehicle system is up to date.
As a note of caution, if manufacturers regularly make software updates for vehicles available online, it is possible that criminals may exploit this delivery method. A criminal could send socially engineered email messages to vehicle owners who are looking to obtain legitimate software updates. Instead, the recipients could end up tricked into clicking links to malicious Web sites or opening attachments containing malicious software (malware). The malware could end up designed to install on the owner’s computer, or be in the vehicle software update file, which would download into the owner’s vehicle when the owner attempts to apply the update via USB. Additionally, an attacker could attempt to mail vehicle owners USB drives containing a malicious version of a vehicle’s software. To mitigate potential risks, vehicle owners should always:
• Verify any recall notices received by following the steps for determining whether a vehicle has been recalled for a vehicle cyber security issue
• Check on the vehicle manufacturer’s Web site to identify whether any software updates have been issued by the manufacturer
• Avoid downloading software from third-party Web sites or file-sharing platforms
• Where necessary, always use a trusted USB or SD card storage device when downloading and installing software to a vehicle
• Check with the vehicle dealer or manufacturer about performing vehicle software updates
If uncomfortable with downloading recall software or using recall software mailed to you, call your dealer and make an appointment to have the work done by a trusted source.
2. Be careful when making any modifications to vehicle software
Making unauthorized modifications to vehicle software may not only impact the normal operation of your vehicle, but it may introduce new vulnerabilities that could end up exploited by an attacker. Such modifications may also impact the way in which authorized software updates can be installed on the vehicle.
3. Maintain awareness and exercise discretion when connecting third-party devices to your vehicle
All modern vehicles feature a standardized diagnostics port, OBD-II, which provides some level of connectivity to the in-vehicle communication networks. This port is typically accessed by vehicle maintenance technicians, using publicly available diagnostic tools, to assess the status of various vehicle systems, as well as to test emissions performance. More recently, there has been a significant increase in the availability of third-party devices that can plug directly into the diagnostic port. These devices, which may be independent of the vehicle manufacturer, include insurance dongles and other telematics and vehicle monitoring tools. The security of these devices is important as it can provide an attacker with a means of accessing vehicle systems and driver data remotely.
While in the past accessing automotive systems through this OBD-II port would typically require an attacker to be physically present in the vehicle, it may be possible for an attacker to indirectly connect to the vehicle.
4. Be aware of who has physical access to your vehicle
In much the same way as you would not leave your personal computer or smartphone unlocked, in an unsecure location, or with someone you don’t trust, it is important that you maintain awareness of those who may have access to your vehicle.