Fearing a rise in car hacking, the FBI is warning the public to secure their vehicles and after-market devices.
A joint public service announcement from the FBI, Department of Transportation and the National Highway Traffic Safety Administration (NHTSA) lists wireless components of modern vehicles that can be vulnerable and the methods attackers could use to launch a real-life attack, similar to the one demonstrated last year in which researchers remotely seized control of a Jeep Cherokee.
The research highlighted that the car's 'attack surface', which consisted mostly of wireless components, could be used to transmit controller area network (CAN) messages to the electronic control units (ECU). It prompted Chrysler to recall 1.4 million vehicles and mail customers a USB drive with a software fix.
But if car manufacturers begin regularly updating vehicles, the agencies now fear that attackers will exploit the delivery channel to infect vehicles with malware, for example, by mailing USBs containing a malicious version of the vehicle's software.
Indeed, as one security expert pointed out at the time, posting a USB with a software update was dangerous from a security standpoint.
Consumers will need to verify the authenticity of the USB drive and whether or not a manufacturer has actually sent an update using this method, the agencies said.
Car owners may also be targeted with attacks that have proven effective at compromising computers, such as email laced with malware or, alternatively, tricking targets into clicking a link to a webpage hosting malware.
"The malware could be designed to install on the owner's computer, or be contained in the vehicle software update file, so as to be introduced into the owner's vehicle when the owner attempts to apply the update via USB," the agencies note.
Another issue is third-party devices that plug into the OBD2 diagnostics port, such as dongles from insurance companies that can be used to reduce premiums through safer driving.
While attacks on these dongles have typically been local, researchers demonstrated last August that they were able to send commands to the CAN buses in a vehicle by sending a specially-crafted SMS to such a dongle.
In the end, the agencies warn that consumers will need to treat vehicles with the same level of caution they apply to their computers and smartphones, although that might be difficult given cars are regularly parked and left out of sight for extended periods.
"In much the same way as you would not leave your personal computer or smartphone unlocked, in an unsecure location, or with someone you don't trust, it is important that you maintain awareness of those who may have access to your vehicle."
More on car hacking
- Why the connected car is one of this generation's biggest security risks
- How to hack self-driving cars with a laser pointer
- Why Chrysler's car hack 'fix' is staggeringly stupid
- BT to start hacking connected cars, as cyberattack risks increase
- Intel launches automotive security board to tackle connected car security risks
- Fiat Chrysler recalls 8,000 extra Jeeps over remote control hacking worries