It’s official: The FBI says car hacking is a real risk

With a public service announcement compiled jointly with the Department of Transportation and the National Highway Traffic and Safety Administration, the FBI has announced that it finally considers car hacking a real and present danger, and so should the general public and vehicle manufacturers.

Car hacking

Taking as an example the car hacking demonstrated by researchers Charlie Miller and Chris Valasek last summer, the FBI explained that the vulnerabilities in that particular case have been adressed through device (radio module) and vehicle updates.

But, “while the identified vulnerabilities have been addressed, it is important that consumers and manufacturers are aware of the possible threats and how an attacker may seek to remotely exploit vulnerabilities in the future,” the FBI noted.

“Vulnerabilities may exist within a vehicle’s wireless communication functions, within a mobile device – such as a cellular phone or tablet connected to the vehicle via USB, Bluetooth, or Wi-Fi – or within a third-party device connected through a vehicle diagnostic port,” they pointed out.

“Although vulnerabilities may not always result in an attacker being able to access all parts of the system, the safety risk to consumers could increase significantly if the access involves the ability to manipulate critical vehicle control systems.”

In the last few years, more and more security researchers have been trying and succeeding in hacking vehicles.

Among the most recently revealed attempts are that by security consultant Craig Smith who delved into the topic of hacking car diagnostic tools, security researcher Troy Hunt who proved that the popular electric car Nissan LEAF is open to attack due to insecure APIs, and security researcher Jose Carlos Norte who has shown that trucks, buses and delivery vans that have been equipped with the Telematics Gateway Unit (TGU) device can leak sensitive data, and posited the vehicles themselves perhaps can be manipulated via the device.

Earlier last year BT has launched an ethical connected car hacking service, and freelance developer Eric Evenchick made available hardware and software design files for CANtact, an open source tool that allows hackers, testers and researchers to connect to the car’s Controller Area Network (CAN), which connects to the various computers that are embedded in modern cars.

In October 2015, the US Librarian of Congress made it legal for security researchers and users to look under the hood of motorized land vehicles for purposes of diagnosis, repair and modification of the vehicle. This decision goes in effect on October 2016.

But not everyone is interested in car hacking – some are interested in spotting/preventing it. At the upcoming HITBSecConf2016 in Amsterdam, security researcher Jun Li will present and open source CANsee, a machine learning based IDS for automobiles to detect abnormal traffic on the CANBUS, so that it can be further analyzed by researchers.

Aside of raising awareness about the possibility of their vehicles getting hacked, the FBI has offered some advice to owners on how to prevent this: by ensuring their vehicle software is up to date, by being careful when making any modifications to it, by maintaining awareness and exercising discretion when connecting third-party devices to their vehicle, and by being aware of who has physical access to their vehicle.

In case of a hack or suspected hack, vehicle owners are advised to contact the vehicle manufacturer or authorized dealer, as well as the FBI and the National Highway Traffic Safety Administration.

“As the theoretical attacks highlight, such as that carried out at Black Hat 2015, the potential to hack and gain control of connected vehicles is a very real threat. We are yet to see this translate into actual attacks, however as with any crime, it is just a matter of requiring a motive. Generally, cybercriminals take action with the aim of financial gain or political, personal or social activism. If driverless and connected vehicles are to become commonplace in the UK, as suggested by Osborne, it is just a matter of time before attackers find a means to use this as an opportunity to fulfil one of these motives,” notes Raj Samani, CTO EMEA Intel Security.

“Intel developed the Automotive Security Review Board (ASRB) – a collaboration of top security and automotive industry talent from across the globe – who work together to stay one step ahead of cybercriminals and secure vulnerabilities before hackers have the opportunity to turn this potential risk into a dangerous reality. It’s crucial that security is a key consideration right from the manufacturing stage of connected vehicles and the ASRB welcomes input and collaboration with the government to advise best practices for tackling this issue together.”

“What we’re seeing happen in the auto industry is a microcosm of what’s happening in financial services, healthcare and virtually every other sector – applications are not created with security in mind, creating a major area of risk,” says Chris Wysopal, CTO, Veracode.

“Exposing a car to the Internet makes it vulnerable to cyberattack due to poorly written software, which could render the car unstable or dangerous. Building a secure application development programme is a significant challenge for manufacturers, which is compounded by the need to do so under the microscope of government regulated safety standards and liability concerns.”

The recently released results of a study commissioned by the company, which included interviews with over 1,000 drivers across the UK and Germany and representatives of Fiat-Chrysler, Seat, Scania, Delphi and German industry body ADAC, showed that manufacturers are concerned about the security of critical vehicle systems being exposed to applications they did not develop, but that they don’t worry as much as the drivers about driver data privacy.

In the meantime, 87 percent of drivers polled believe all aspects of safety – including resiliency of applications to cyberattack – rests with manufacturers, regardless of whether an in-car application was developed by a software company or the car manufacturers themselves.