Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/18/2016
04:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Feds Urge Caution On Aftermarket Devices That Plug Into Vehicle Diagnostic Ports

Vulnerabilities in such products could give attackers a way to access and control critical vehicle systems, the FBI, DOT, and NHTSA warn.

Most of us are unlikely to consider that connecting a cell phone via USB to our cars or sticking an aftermarket remote starter in the diagnostic port under the steering wheel could pose a threat to privacy and safety. Turns out it may be time to start thinking about it.

The same technologies that are making vehicles increasingly smarter and more connected are also opening them to new threats, the FBI, the Department of Transportation, and the National Highway Traffic Safety Administration said in a somewhat unusual public service announcement Thursday.

The alert highlights several concerns that have been aired previously about attacks that allow malicious hackers to gain remote control over vehicle functions by exploiting weaknesses in wireless communications technologies. Not all of the security issues pose a threat to driver safety – some flaws, for instance, expose vehicle and driver data to theft, the FBI and others said.

One example it points to is a demonstration last year where security researchers showed how they could exploit a Jeep Wrangler’s cellular connectivity and an optionally enabled Wi-Fi hotspot communication to remotely control the vehicle’s steering, braking, door locks, ignition, and other functions. The demonstration resulted in Fiat Chrysler recalling some 1.5 million vehicles to mitigate the vulnerability.

What’s interesting about the alert is its focus on aftermarket vehicle technologies as posing a potential threat to vehicle owners.

Vulnerabilities can exist not just in a vehicle’s communications functions but also in third-party aftermarket devices that connect to the vehicle’s Onboard Diagnostics port (OBD-II), the FBI warned.

All cars manufactured since 1996 have a standard Onboard Diagnostic Port (OBD-II) that allows service technicians and others a quick way to access information on the status of various vehicle systems and to enable emissions tests.

Recently, there has been a significant increase in the number of aftermarket products that can be plugged directly into the ODB-II port, the alert said. As one example it pointed to the dongles that some insurance companies have been issuing to drivers for monitoring their driving habits in exchange for a potential discount on premiums.

But there are a slew of other products as well, including remote starters, infotainment systems, engine and vehicle performance monitoring gadgets, and fleet maintenance technologies. A Frost & Sullivan analyst, writing in Searchautoparts.com last year, predicted that the size of the market for such products would reach around $1 billion by 2020.

Many of the products are wireless-enabled and can be accessed and managed via smartphones and tablets. Drivers, for instance, can use their smartphones to control the remote-starter or infotainment system plugged into the diagnostic port or to receive information like tire pressure and engine performance warning from OBD-II enabled telematics systems.

This means that a malicious hacker no longer needs physical access to the OBD-II port in order to have potential access to the various electronic control units in vehicles, including those controlling acceleration, braking and steering, the FBI alert warned.

Third-party devices connected to the vehicle via the OBD port can introduce vulnerabilities by enabling connectivity where none existed previously, it said. “While manufacturers attempt to limit the interaction between vehicle systems, wireless communications, and diagnostic ports, these new connections to the vehicle architecture provide portals through which adversaries may be able to remotely attack the vehicle controls and systems,” the alert said.

The recommendations that the FBI has for mitigating vehicle cybersecurity risks are similar to its recommendations for protecting computers against malware and other threats. For instance, it wants vehicle owners to always install any software updates that the manufacturer issues, but to make sure to verify the authentication of the update before installing it. Customers of car manufacturers that issue regular updates online need to watch out for phishing scams and other social engineering tricks where attackers try to get vehicle owners to install malware on their vehicles.

The alert urged vehicle owners to verify all recall notices by checking on the manufacturer’s website. It also urged drivers to avoid downloading software from third-party websites and to ensure that all downloads are made on a trusted USB or storage device before transferring it to the vehicle.

Making modifications to software that have not been recommended by the vehicle manufacturer is generally a bad idea because it could introduce safety and security risks, the FBI and others said.

Related Content:

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
geeksquadsupport
50%
50%
geeksquadsupport,
User Rank: Apprentice
5/29/2018 | 8:22:13 AM
Blogs to write
At present reading and posting, blogs are very common and are trending. These sites are very helpful to learn our own blogs and tips. for more visit 

https://geeksquadtechsupport.co/
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
CVE-2021-31660
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.