Car Computers Are Vehicles for Hacking, Warns FBI
Mar 22, 2016 5:00 AM PT
Computers that control functions such as steering, braking, acceleration, lights and windshield wipers, as well as wireless technologies used in keyless entry, ignition control, tire pressure monitoring, and diagnostic and navigation systems, provide portals for cyberattack, the agencies said.
Third-party devices connected to vehicles through diagnostics ports, and mobile devices connected to vehicles also could open the door for hackers, they warned.
Safety Tips for Car Owners
Consumers should verify with vehicle manufacturers any recall notices or software updates they receive; avoid downloading software from third-party websites or file-sharing platforms; use a trusted USB or SD card storage device when downloading and installing software to their vehicles; and ensure their vehicle software is up to date, the agencies said.
They should be careful when modifying vehicle software or connecting third-party devices to their vehicles.
Vehicle owners should check the vehicle's VIN for recalls at least twice per year, according to the agencies.
Is the Problem Real?
Anything electronic that talks wirelessly can be hacked, but "you have to have fairly specific access to the vehicle," said Mike Jude, a research manager at Frost & Sullivan.
"Every car manufacturer has a different protocol for doing things like remote start and remote unlock, so you'd have to target a specific car manufacturer, have specific information on their proprietary protocols for access, and then all you'd get is access to the car," he told TechNewsWorld.
The agencies are taking preemptive action because "they expect a lot more network-connected cars and expect them to use open standards for communicating with the cars' internals minus encryption," Jude said.
However, the notice "isn't preemptive. It's actually very late, and we're just lucky there haven't been any catastrophic incidents yet," argued Rob Enderle, principal analyst at the Enderle Group.
"We've had examples going back years that showcased it was possible to disable cars through the wireless sensors on their tires. As we increasingly move to systems that control all of the car's operation, the potential for deadly consequences has gone through the roof," he told TechNewsWorld.
"Think of ransomware," Enderle said. "If you get disabled in the middle of nowhere, how much would you pay to have your car run again?" The real concern, however, is "the massive loss of life a terrorist attack on cars could create."
Encryption backdoors like the one the FBI is seeking to force Apple to develop "enables hacking like this, and phones could easily become a bridge through a car's system to enable a hack," he said. "This strongly supports Apple's argument that the risks of what the FBI is requesting far exceed the benefits."
Accelerated Response Needed
"There's good reason for customer skepticism with connected cars due to multiple potential problem areas, including security, as well as legal issues," said Keith Bromley, senior solutions manager at Ixia.
"When multiple vendors -- wireless carriers, automobile makers, satellite radio services, entertainment companies, government agencies and even local business -- access consumer data, the question becomes, who's responsible for the security of any personally identifiable information contained within the databases?" he told TechNewsWorld.
The automobile industry has created a working group to deal with security issues, Enderle observed, "but they continue to move slowly, and the entire industry needs to massively change cadence, which is currently a three- to five-year cycle, to one more consistent with the far faster response times in the tech industry."