Feds warn of potential cyberattacks on cars

Keith Laing
Detroit News Washington Bureau

Washington — The federal government is warning drivers about potential cyberattacks on their vehicles as cars are becoming increasingly more “connected.”

The FBI and National Highway Traffic Safety Administration said researchers have identified vulnerabilities in cars made as recently as the 2014 model year that highlight a troubling trend in auto cybersecurity, citing a report that was conducted in 2015 by the Seattle-based IOActive security firm.

“In this study, which was conducted over a period of several months, researchers developed exploits targeting the active cellular wireless and optionally user-enabled Wi-Fi hotspot communication functions,” the agencies wrote, noting that “the vehicle studied was unaltered and purchased directly from a dealer.”

They added: “Attacks on the vehicle that were conducted over Wi-Fi were limited to a distance of less than about 100 feet from the vehicle,” the report continued. “However, an attacker making a cellular connection to the vehicle’s cellular carrier — from anywhere on the carrier’s nationwide network — could communicate with and perform exploits on the vehicle via an Internet Protocol (IP) address.”

The agencies warned that the rapidly increasing use of technology in cars makes them more vulnerable than ever to being hacked.

Modern cars “often include new connected vehicle technologies that aim to provide benefits such as added safety features,” they wrote, but they also present vulnerabilities that could be exploited by hackers who have a malicious intent.

“While not all hacking incidents may result in a risk to safety — such as an attacker taking control of a vehicle — it is important that consumers take appropriate steps to minimize risk,” the agencies said.

The warning about potential auto cyberattacks as automakers and technology companies are pushing to develop driverless cars — and asking Congress to create a friendly regulatory environment for them.

Chris Urmson, Google X director of self-driving cars, told lawmakers in a Senate committee hearing this week that his company is far along with testing of automated technology that could drastically transform the way drivers interact with their autos.

“We’re now testing self-driving prototype vehicles in three different states, and over the last seven years, we’ve driven over 1.4 million miles in autonomous mode,” he said during a hearing on driveless autos that took place in Washington on Tuesday.

Urmson said during the Senate hearing that self-driving cars could greatly boost the safety of U.S. roadways, but only if they are allowed to operate fully autonomously.

Last year, hackers were able to wirelessly hijack a Jeep Cherokee in a demonstration that was revealed in a Wired magazine attack over the objection of the vehicle’s manufacturer, Fiat Chrysler. The discovery of the breach was a major flash point for the auto industry as features like parking assistance and lane control become more readily available in U.S. cars.

Automakers have largely focused on potential safety improvements from technological advances in car manufacturing, such as vehicle-to-vehicle and vehicle-to-infrastructure communications and eventually self-driving autos, although they have acknowledged the need to vigilant about cybersecurity.

“Many of today’s active safety technologies, such as full-speed range adaptive cruise control and lane-keeping assist, are steps towards autonomous driving,” Mike Ableson, GM’s vice president of strategy and global portfolio planning, told lawmakers during this week’s hearing on self-driving autos.

The FBI and NTHSA said vulnerabilities to connected cars could exist “within a vehicle’s wireless communication functions, within a mobile device — such as a cellular phone or tablet connected to the vehicle via USB, Bluetooth or Wi-Fi — or within a third-party device connected through a vehicle diagnostic port.”

The agencies said drivers will also have to be vigilant when it comes to protecting their connected cars from cyberattacks, drawing parallels to measures that are taken to shield computers and other electronic devices from hackers

“If a manufacturer issues a notification that a software update is available, it is important that the consumer take appropriate steps to verify the authenticity of the notification and take action to ensure that the vehicle system is up to date,” the agencies said.

But even then, the FBI and NHTSA warned “a criminal could send socially engineered email messages to vehicle owners who are looking to obtain legitimate software updates.”


(202) 662-8537

Twitter: @Keith_Laing