The possibility that hackers could take control of a motor vehicle remotely has pushed several federal agencies to issue a joint warning on the danger. The agencies cited the recent success of security researchers to remotely initiate several actions on a moving car
, such as shutting the engine down, disabling the brakes, and affecting the steering.
The agencies behind the warning are the Federal Bureau of Investigation, the U.S. Department of Transportation and the National Highway Traffic Safety Administration. “Modern motor vehicles often include new connected vehicle technologies that aim to provide benefits such as added safety features, improved fuel economy, and greater overall convenience,” the FBI said yesterday in a statement. “However, with this increased connectivity, it is important that consumers and manufacturers maintain awareness of potential cybersecurity threats.”
Increased Connectivity Means Increased Risk
The FBI noted that while not all hacking incidents necessarily put the safety of passengers at risk, consumers and manufacturers should nevertheless be aware that cybersecurity threats now extend into the realm of vehicle information technologies.
Modern vehicles contain an increasing number of computers and other components connected to the Internet. Some of them, such as keyless entry devices, ignition control, and tire pressure monitoring also have wireless access. Although manufacturers do make an effort to limit the interaction between these systems, the level of connectivity present in modern vehicles provides a way for hackers to remotely attack the controls and systems of these vehicles.
And the problem isn’t just limited to the actual vehicle. The FBI warned that third-party devices that connect to vehicles, such as through diagnostics ports, could also introduce new vulnerabilities. In particular, the feds warned that functions within mobile devices such as mobile phones, tablets, or other third-party devices could allow a cybercriminal to gain remote access to a car’s controller network or the data stored on the vehicle.
“Although vulnerabilities may not always result in an attacker being able to access all parts of the system, the safety risk to consumers could increase significantly if the access involves the ability to manipulate critical vehicle control systems;” the FBI said.
Hacking the API
Just last month, security researchers demonstrated that they were able to exploit a flaw in the API used by the Nissan Leaf for its iOS and Android apps to remotely gain access to a vehicle’s climate controls and the data about recent trips. While not life threatening, a hacker could use the exploit to drain the vehicle’s battery while it’s parked or learn other facts about the driver based on the car's travel history.
Last year, another team of researchers identified a number of vulnerabilities in the radio module of the 2014 Jeep Grand Cherokee. The researchers were able to gain remote access to some of the vehicle’s critical functions, such as steering and braking, leading to potentially life-threatening situations.
The security vulnerabilities were enough to force a 1.4 million vehicle recall. “The number of vehicles that were vulnerable were in the hundreds of thousands,” the researchers said in a white paper published in August.