​FBI to drivers: Watch out for these malware attacks on your car

The FBI and regulators have issued a warning that modern vehicles are increasingly vulnerable to remote attacks.
Written by Liam Tung, Contributing Writer

Last year, researchers remotely seized control of a Chrysler Jeep Cherokee.

Image: AJ Mueller/Fiat Chrysler Automobiles

Fearing a rise in car hacking, the FBI is warning the public to secure their vehicles and after-market devices.

A joint public service announcement from the FBI, Department of Transportation and the National Highway Traffic Safety Administration (NHTSA) lists wireless components of modern vehicles that can be vulnerable and the methods attackers could use to launch a real-life attack, similar to the one demonstrated last year in which researchers remotely seized control of a Jeep Cherokee.

The research highlighted that the car's 'attack surface', which consisted mostly of wireless components, could be used to transmit controller area network (CAN) messages to the electronic control units (ECU). It prompted Chrysler to recall 1.4 million vehicles and mail customers a USB drive with a software fix.

But if car manufacturers begin regularly updating vehicles, the agencies now fear that attackers will exploit the delivery channel to infect vehicles with malware, for example, by mailing USBs containing a malicious version of the vehicle's software.

Indeed, as one security expert pointed out at the time, posting a USB with a software update was dangerous from a security standpoint.

Consumers will need to verify the authenticity of the USB drive and whether or not a manufacturer has actually sent an update using this method, the agencies said.

Car owners may also be targeted with attacks that have proven effective at compromising computers, such as email laced with malware or, alternatively, tricking targets into clicking a link to a webpage hosting malware.

"The malware could be designed to install on the owner's computer, or be contained in the vehicle software update file, so as to be introduced into the owner's vehicle when the owner attempts to apply the update via USB," the agencies note.

Another issue is third-party devices that plug into the OBD2 diagnostics port, such as dongles from insurance companies that can be used to reduce premiums through safer driving.

While attacks on these dongles have typically been local, researchers demonstrated last August that they were able to send commands to the CAN buses in a vehicle by sending a specially-crafted SMS to such a dongle.

In the end, the agencies warn that consumers will need to treat vehicles with the same level of caution they apply to their computers and smartphones, although that might be difficult given cars are regularly parked and left out of sight for extended periods.

"In much the same way as you would not leave your personal computer or smartphone unlocked, in an unsecure location, or with someone you don't trust, it is important that you maintain awareness of those who may have access to your vehicle."

More on car hacking

Editorial standards