WASHINGTON (June 17, 2016) — The FBI is warning auto makers, motorists and auto repair shops that many of the vehicles on the road today are vulnerable to hacking from outside sources, and cybersecurity can be jeopardized.
“As previously reported by the media in and after July 2015, security researchers evaluating automotive cybersecurity were able to demonstrate remote exploits of motor vehicles,” the bureau said in a public service announcement recently issued in conjunction with the U.S. Department of Transportation (DOT) and the National Highway Traffic Safety Administration (NHTSA).
The FBI went on to point out that the analysis by security analysts “demonstrated the researchers could gain significant control over vehicle functions remotely by exploiting wireless communications vulnerabilities. While the identified vulnerabilities have been addressed, it is important that consumers and manufacturers are aware of the possible threats and how an attacker may seek to remotely exploit vulnerabilities in the future.
“Third-party aftermarket devices with Internet or cellular access plugged into diagnostics ports could also introduce wireless vulnerabilities.”
Modern motor vehicles often include new connected vehicle technologies that aim to provide benefits such as added safety features, improved fuel economy and greater overall convenience, according to the FBI, which added that aftermarket devices are also providing consumers with new features to monitor the status of their vehicles. “However, with this increased connectivity, it is important that consumers and manufacturers maintain awareness of potential cyber security threats.”
Vehicle hacking occurs when someone with a computer seeks to gain unauthorized access to vehicle systems for the purposes of retrieving driver data or manipulating vehicle functionality. While not all hacking incidents may result in a risk to safety — such as an attacker taking control of a vehicle — “it is important that consumers take appropriate steps to minimize risk.
Therefore, the FBI and NHTSA are warning the general public and manufacturers — of vehicles, vehicle components, and aftermarket devices — to maintain awareness of potential issues and cybersecurity threats related to connected vehicle technologies in modern vehicles,” the bureau said.
The FBI offered the following explanations for vehicle diagnostics and their vulnerability to outside attacks:
How are computers used in modern motor vehicles?
“Motor vehicles contain an increasing number of computers in the form of electronic control units (ECUs). These ECUs control numerous vehicle functions from steering, braking and acceleration, to the lights and windshield wipers. A wide range of vehicle components also have wireless capability: from keyless entry, ignition control, and tire pressure monitoring, to diagnostic, navigation, and entertainment systems.
While manufacturers attempt to limit the interaction among vehicle systems, wireless communications and diagnostic ports, these new connections to the vehicle architecture provide portals through which adversaries may be able to remotely attack the vehicle controls and systems.
“Third-party devices connected to the vehicle — for example through the diagnostics port — could also introduce vulnerabilities by providing connectivity where it did not exist previously.”
What are some of the ways an attacker can access vehicle networks and driver data?
“Vulnerabilities may exist within a vehicle's wireless communication functions, within a mobile device — such as a cellular phone or tablet connected to the vehicle via USB, Bluetooth, or Wi-Fi — or within a third-party device connected through a vehicle diagnostic port,” the FBI said.
“In these cases, it may be possible for an attacker to remotely exploit these vulnerabilities and gain access to the vehicle's controller network or to data stored on the vehicle. Although vulnerabilities may not always result in an attacker being able to access all parts of the system, the safety risk to consumers could increase significantly if the access involves the ability to manipulate critical vehicle control systems.”
The bureau provided the following example of what it called “recently demonstrated remote exploits” with vehicles:
“Over the past year, researchers identified a number of vulnerabilities in the radio module of a (model year) 2014 passenger vehicle and reported its detailed findings in a whitepaper published in August 2015.
“The vehicle studied was unaltered and purchased directly from a dealer. In this study, which was conducted over a period of several months, researchers developed exploits targeting the active cellular wireless and optionally user-enabled Wi-Fi hotspot communication functions. Attacks on the vehicle that were conducted over Wi-Fi were limited to a distance of less than about 100 feet from the vehicle.
“However, an attacker making a cellular connection to the vehicle's cellular carrier — from anywhere on the carrier's nationwide network — could communicate with and perform exploits on the vehicle via an Internet Protocol (IP) address.
“In the aforementioned case, the radio module contained multiple wireless communication and entertainment functions and was connected to two controller area network (CAN) buses in the vehicle.”
According to the FBI, the following are some of the vehicle function manipulations researchers were able to accomplish:
- In a target vehicle, at low speeds (5-10 mph) — engine shutdown; disable brakes; steering;.
- In a target vehicle, at any speed: door locks; turn signal; tachometer; and radio, HVAC and GPS.
What did the manufacturer in the recent case do to fix or mitigate the identified vulnerabilities?
In this case, the FBI said, “NHTSA believed the vulnerability represented an unreasonable risk to safety based on a number of critical factors: Once exploited, the vulnerability allowed access to and manipulation of critical vehicle control systems; the population of vehicles potentially at risk was huge; and the likelihood of exploitation was great given that the researchers were scheduled to publish the bulk of their work product.”
As a result, almost 1.5 million vehicles were recalled (NHTSA Recall Campaign Number: 15V461000).
Before the researchers' report was released, the cellular carrier for the affected vehicles blocked access to one specific port (TCP 6667) for the private IP addresses used to communicate with vehicles. However, the recall was still necessary to mitigate other, short-range vulnerabilities, NHTSA said.
The vehicle manufacturer and cell service provider have provided a remedy to mitigate the specific vulnerabilities, the agency continued. “The manufacturer announced it would notify owners of vehicles affected by the recall and would mail them a USB drive containing the update and additional security features for the vehicle software.
“Alternatively, the manufacturer announced that owners could visit a website to check if their vehicle was included in the recall and to download the software update to a USB drive. Owners who did not wish to install the update via USB to their own vehicles were given the option to have their vehicle dealer install the update.”
Consumer action
For consumers wondering whether their vehicle has been recalled for a vehicle cybersecurity issue, the FBI offered that, “when a vehicle is included in a recall, the manufacturer sends a notification to vehicle owners informing them of the issue and how to obtain a free remedy to address the problem.
“In general, it is important that consumers maintain awareness of the latest recalls and updates affecting their motor vehicles. This can be done by following the instructions on NHTSA's www.safercar.gov website, media and news announcements of recalls, contacting your nearest vehicle dealership, or checking the vehicle manufacturer's website for recall-related information.”
The bureau also added suggested that vehicle owners check their vehicles' VINs for recalls at least twice annually using this Web link: http://vinrcl.safercar.gov.
Consumers can also look for other related information for their vehicles at the following Web links:
http://www-odi.nhtsa.dot.gov/owners/SearchSafetyIssues
http://www.recalls.gov/nhtsa.html
The FBI said consumers can help minimize vehicle cybersecurity risks by doing the following:
1. Ensure your vehicle software is up to date.
“If a manufacturer issues a notification that a software update is available, it is important that the consumer take appropriate steps to verify the authenticity of the notification and take action to ensure that the vehicle system is up to date.”
However, the bureau cautioned that “if manufacturers regularly make software updates for vehicles available online, it is possible that criminals may exploit this delivery method. A criminal could send socially engineered email messages to vehicle owners who are looking to obtain legitimate software updates.
“Instead, the recipients could be tricked into clicking links to malicious websites or opening attachments containing malicious software (malware). The malware could be designed to install on the owner's computer, or be contained in the vehicle software update file, so as to be introduced into the owner's vehicle when the owner attempts to apply the update via USB.”