Attacks/Breaches
3/18/2016
04:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Feds Urge Caution On Aftermarket Devices That Plug Into Vehicle Diagnostic Ports

Vulnerabilities in such products could give attackers a way to access and control critical vehicle systems, the FBI, DOT, and NHTSA warn.

Most of us are unlikely to consider that connecting a cell phone via USB to our cars or sticking an aftermarket remote starter in the diagnostic port under the steering wheel could pose a threat to privacy and safety. Turns out it may be time to start thinking about it.

The same technologies that are making vehicles increasingly smarter and more connected are also opening them to new threats, the FBI, the Department of Transportation, and the National Highway Traffic Safety Administration said in a somewhat unusual public service announcement Thursday.

The alert highlights several concerns that have been aired previously about attacks that allow malicious hackers to gain remote control over vehicle functions by exploiting weaknesses in wireless communications technologies. Not all of the security issues pose a threat to driver safety – some flaws, for instance, expose vehicle and driver data to theft, the FBI and others said.

One example it points to is a demonstration last year where security researchers showed how they could exploit a Jeep Wrangler’s cellular connectivity and an optionally enabled Wi-Fi hotspot communication to remotely control the vehicle’s steering, braking, door locks, ignition, and other functions. The demonstration resulted in Fiat Chrysler recalling some 1.5 million vehicles to mitigate the vulnerability.

What’s interesting about the alert is its focus on aftermarket vehicle technologies as posing a potential threat to vehicle owners.

Vulnerabilities can exist not just in a vehicle’s communications functions but also in third-party aftermarket devices that connect to the vehicle’s Onboard Diagnostics port (OBD-II), the FBI warned.

All cars manufactured since 1996 have a standard Onboard Diagnostic Port (OBD-II) that allows service technicians and others a quick way to access information on the status of various vehicle systems and to enable emissions tests.

Recently, there has been a significant increase in the number of aftermarket products that can be plugged directly into the ODB-II port, the alert said. As one example it pointed to the dongles that some insurance companies have been issuing to drivers for monitoring their driving habits in exchange for a potential discount on premiums.

But there are a slew of other products as well, including remote starters, infotainment systems, engine and vehicle performance monitoring gadgets, and fleet maintenance technologies. A Frost & Sullivan analyst, writing in Searchautoparts.com last year, predicted that the size of the market for such products would reach around $1 billion by 2020.

Many of the products are wireless-enabled and can be accessed and managed via smartphones and tablets. Drivers, for instance, can use their smartphones to control the remote-starter or infotainment system plugged into the diagnostic port or to receive information like tire pressure and engine performance warning from OBD-II enabled telematics systems.

This means that a malicious hacker no longer needs physical access to the OBD-II port in order to have potential access to the various electronic control units in vehicles, including those controlling acceleration, braking and steering, the FBI alert warned.

Third-party devices connected to the vehicle via the OBD port can introduce vulnerabilities by enabling connectivity where none existed previously, it said. “While manufacturers attempt to limit the interaction between vehicle systems, wireless communications, and diagnostic ports, these new connections to the vehicle architecture provide portals through which adversaries may be able to remotely attack the vehicle controls and systems,” the alert said.

The recommendations that the FBI has for mitigating vehicle cybersecurity risks are similar to its recommendations for protecting computers against malware and other threats. For instance, it wants vehicle owners to always install any software updates that the manufacturer issues, but to make sure to verify the authentication of the update before installing it. Customers of car manufacturers that issue regular updates online need to watch out for phishing scams and other social engineering tricks where attackers try to get vehicle owners to install malware on their vehicles.

The alert urged vehicle owners to verify all recall notices by checking on the manufacturer’s website. It also urged drivers to avoid downloading software from third-party websites and to ensure that all downloads are made on a trusted USB or storage device before transferring it to the vehicle.

Making modifications to software that have not been recommended by the vehicle manufacturer is generally a bad idea because it could introduce safety and security risks, the FBI and others said.

Related Content:

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.