The Federal Bureau of Investigation (FBI) and the Department of Transportation (DoT) released a public service announcement (PSA) to warn manufactures and consumers about some of the dangers of connected automobiles.
“Vulnerabilities may exist within a vehicle's wireless communication functions, within a mobile device – such as a cellular phone or tablet connected to the vehicle via USB, Bluetooth, or Wi-Fi – or within a third-party device connected through a vehicle diagnostic port,” the PSA said.
Officials warned that these new connections could provide cybercriminals with more attack portals and described various ways attackers could remotely access vehicle controls and systems.
Officials said that while not all car hacking incidents result in safety risks, consumers should take the appropriate steps to minimize their own risks.
The PSA recommended that consumers ensure their vehicle's software is up to date, be careful when making any modifications to vehicle software, maintain awareness, and exercise discretion when connecting third-party devices to vehicles.
Officials also provided guidelines for what to do if a consumer suspects their vehicle has been hacked.
As an example of the risks, the PSA featured researchers demonstrating remote exploits on an unnamed vehicle in which they were able to disable the engine, breaks steering and other features of the vehicle via Wi-Fi and cellular connections.
The vehicle's manufacturer has since patched the specified vulnerabilities but officials said the vulnerabilities represented an “unreasonable risk to safety based on a number of critical factors.”
HPE Security Global Product Manager Reiner Kappenberger said in comments emailed to SCMagazine.com that auto manufacturers may have good intentions but still have trouble making cybersecurity a priority in connected cars.
“Making sure that security is a first class citizen during the design and development phase of those applications is more critical in the IoT space than ever before,” Kappenberger said.
Cost is also a potential hurdle to prioritizing security, Tripwire Security Researcher Lane Thames said in comments emailed to SCMagazine.com.
“Building highly secure systems is hard and sometimes costly,” he stressed.
It would take a “holistic, cross-disciplinary approach for the design and implementation of cybersecurity and its interconnection with technology” to properly secure connected vehicles, Thames said.
A recent survey of drivers and auto industry representatives found that it may be one to three years before connected car systems are capable of dealing with all the security concerns that are present.