Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/18/2016
04:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Feds Urge Caution On Aftermarket Devices That Plug Into Vehicle Diagnostic Ports

Vulnerabilities in such products could give attackers a way to access and control critical vehicle systems, the FBI, DOT, and NHTSA warn.

Most of us are unlikely to consider that connecting a cell phone via USB to our cars or sticking an aftermarket remote starter in the diagnostic port under the steering wheel could pose a threat to privacy and safety. Turns out it may be time to start thinking about it.

The same technologies that are making vehicles increasingly smarter and more connected are also opening them to new threats, the FBI, the Department of Transportation, and the National Highway Traffic Safety Administration said in a somewhat unusual public service announcement Thursday.

The alert highlights several concerns that have been aired previously about attacks that allow malicious hackers to gain remote control over vehicle functions by exploiting weaknesses in wireless communications technologies. Not all of the security issues pose a threat to driver safety – some flaws, for instance, expose vehicle and driver data to theft, the FBI and others said.

One example it points to is a demonstration last year where security researchers showed how they could exploit a Jeep Wrangler’s cellular connectivity and an optionally enabled Wi-Fi hotspot communication to remotely control the vehicle’s steering, braking, door locks, ignition, and other functions. The demonstration resulted in Fiat Chrysler recalling some 1.5 million vehicles to mitigate the vulnerability.

What’s interesting about the alert is its focus on aftermarket vehicle technologies as posing a potential threat to vehicle owners.

Vulnerabilities can exist not just in a vehicle’s communications functions but also in third-party aftermarket devices that connect to the vehicle’s Onboard Diagnostics port (OBD-II), the FBI warned.

All cars manufactured since 1996 have a standard Onboard Diagnostic Port (OBD-II) that allows service technicians and others a quick way to access information on the status of various vehicle systems and to enable emissions tests.

Recently, there has been a significant increase in the number of aftermarket products that can be plugged directly into the ODB-II port, the alert said. As one example it pointed to the dongles that some insurance companies have been issuing to drivers for monitoring their driving habits in exchange for a potential discount on premiums.

But there are a slew of other products as well, including remote starters, infotainment systems, engine and vehicle performance monitoring gadgets, and fleet maintenance technologies. A Frost & Sullivan analyst, writing in Searchautoparts.com last year, predicted that the size of the market for such products would reach around $1 billion by 2020.

Many of the products are wireless-enabled and can be accessed and managed via smartphones and tablets. Drivers, for instance, can use their smartphones to control the remote-starter or infotainment system plugged into the diagnostic port or to receive information like tire pressure and engine performance warning from OBD-II enabled telematics systems.

This means that a malicious hacker no longer needs physical access to the OBD-II port in order to have potential access to the various electronic control units in vehicles, including those controlling acceleration, braking and steering, the FBI alert warned.

Third-party devices connected to the vehicle via the OBD port can introduce vulnerabilities by enabling connectivity where none existed previously, it said. “While manufacturers attempt to limit the interaction between vehicle systems, wireless communications, and diagnostic ports, these new connections to the vehicle architecture provide portals through which adversaries may be able to remotely attack the vehicle controls and systems,” the alert said.

The recommendations that the FBI has for mitigating vehicle cybersecurity risks are similar to its recommendations for protecting computers against malware and other threats. For instance, it wants vehicle owners to always install any software updates that the manufacturer issues, but to make sure to verify the authentication of the update before installing it. Customers of car manufacturers that issue regular updates online need to watch out for phishing scams and other social engineering tricks where attackers try to get vehicle owners to install malware on their vehicles.

The alert urged vehicle owners to verify all recall notices by checking on the manufacturer’s website. It also urged drivers to avoid downloading software from third-party websites and to ensure that all downloads are made on a trusted USB or storage device before transferring it to the vehicle.

Making modifications to software that have not been recommended by the vehicle manufacturer is generally a bad idea because it could introduce safety and security risks, the FBI and others said.

Related Content:

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
geeksquadsupport
50%
50%
geeksquadsupport,
User Rank: Apprentice
5/29/2018 | 8:22:13 AM
Blogs to write
At present reading and posting, blogs are very common and are trending. These sites are very helpful to learn our own blogs and tips. for more visit 

https://geeksquadtechsupport.co/
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19807
PUBLISHED: 2019-12-15
In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The timeri variable was originally intended to be for a newly created timer instance, but was used for ...
CVE-2014-8650
PUBLISHED: 2019-12-15
python-requests-Kerberos through 0.5 does not handle mutual authentication
CVE-2014-3536
PUBLISHED: 2019-12-15
CFME (CloudForms Management Engine) 5: RHN account information is logged to top_output.log during registration
CVE-2014-3643
PUBLISHED: 2019-12-15
jersey: XXE via parameter entities not disabled by the jersey SAX parser
CVE-2014-3652
PUBLISHED: 2019-12-15
JBoss KeyCloak: Open redirect vulnerability via failure to validate the redirect URL.