The US Federal Bureau of Investigation (FBI) and the US National Highway Traffic Safety Administration (NHTSA) have issued a public service announcement regarding potential car hacking vulnerabilities.
The bodies noted that recent developments in connected cars had provided customers with new features to monitor the status of vehicles, both consumers and manufacturers needed to maintain an awareness of potential cyber security threats.
They also said that third party aftermarket devices with internet or cellular access plugged into diagnostics could also introduce wireless vulnerabilities.
The alert highlighted the work of researchers in 2015 that demonstrated the ability to remotely affect steering, disable brakes and shutdown the engine at low speeds in a 2014 Jeep Cherokee. Before the results were published, a general recall was issued, however the FBI and NHTSA said: "The recall was still necessary to mitigate other, short-range vulnerabilities."
In order to minimize the risks to vehicle cybersecurity, the FBI and NHTSA recommended ensuring that vehicle software is up to date, be careful when modifying a vehicle maintain awareness and exercise discretion when connecting third-party devices and be aware of who has physical access to the vehicle.
In case a consumer suspects they are a victim of vehicle hacking, they are recommended to check for outstanding vehicles or software updates, contact the vehicle manufacturer or dealer, or contact the proper authority.
Lane Thames, software development engineer and security researcher at technology company Tripwire, said: "We have seen drastic changes within the technology landscape over the last few years. Moore’s law has enabled us to create very powerful computing platforms, ranging from the smallest embedded system to the largest of supercomputers. Simultaneously, the laws of economics have enabled these devices to be readily available to the masses in terms of costs. Finally, we have ubiquitous, high-speed access to the Internet. Put this all together and we have what is currently called the Internet of Things (IoT).
"As we can see, automobiles are rapidly becoming a part of the IoT. Unfortunately, the security industry is seeing IoT devices of all types come online with very weak and, in some cases, non-existent security features. There are various reasons for this. Building highly secure systems is hard and sometimes costly. This conflicts with manufacturers who want to deliver their products to market fast."
A number of motor finance companies employ devices such as disablers in cars they lease as a form of protection. In most cases, these devices use some form of GPS, communicate via 3g, and operate as a ‘kill switch’ that can disable electrical power between the car’s battery and its starter.
Thames said that while most of these devices do not interface with the car’s onboard computers, even in this case it could be considered a vulnerability in the overall system, including the communication network, remote servers that collect GPS data and control the kill switch signal.
Speaking to Motor Finance, Thames said: "Most important in this scenario is consumer safety. It is conceivable that a remote attacker (one who is not physically located with the car) could send a kill switch signal to the car. This could be used for nefarious purposes. For example, it may lead to someone being stranded in unsafe places. Another area of concern is user privacy: if an attacker gains access to the system, data related to one’s locations and mobility patterns could be extracted. These are the two most important areas of concern, in my opinion, for remote disablers. A third concern would be vulnerabilities that could allow an attacker local to the car to gain unauthorized access to the remote server(s).
Before going into an agreement with a disabler device vendor, finance companies should have the vendor provide details such as how the device ensures authentication of kill switch signals, how it encrypts the signals sent to and received by the device, and how it impacts the consumer’s safety. The device vendor should provide details of how they implement threat models during the design, implementation, and testing of their device and what they do to work with security researchers and pentesters to ensure their devices have reliable security features built-in."