A new bulletin has been issued by two federal agencies warning of an increased cyber-security threat to the automotive industry and automobile owners.
Hackers are seen as a growing concern at a time when automobiles are becoming increasingly dependent upon high-tech safety, performance and convenience features. Several automakers, including BMW, Nissan and Fiat Chrysler, have already been forced to take actions to deal with vulnerabilities that could let hackers gain access to some of their vehicles.
“The FBI and NHTSA are warning the general public and manufacturers – of vehicles, vehicle components, and aftermarket devices – to maintain awareness of potential issues and cybersecurity threats related to connected vehicle technologies in modern vehicles,” warned a new bulletin issued jointly by the FBI and the National Highway Traffic Safety Administration.
NHTSA has been warning of the risk of hacking for more than a year, and administrator Mark Rosekind declared cyber-security one of the single-biggest concerns for the auto industry during a visit to Detroit earlier this year. The new bulletin appears to take things to an even more elevated level.
Concerns about cyber-security have grown more serious in tandem with the expanded use of electronics on today’s vehicles. It is common for even base-level cars to have dozens of microprocessors onboard, and there are numerous ways hackers could gain entry into these systems, including everything from wireless tire pressure monitors to the 4G LTE hotspots becoming increasingly common.
Several automakers already have taken steps to allow for remote updating of vehicle systems. Tesla, for example, recently used such wireless technology to upload its new, semi-autonomous AutoPilot system to Model S sedans and Model X SUVs.
General Motors is rapidly expanding the use of 4G LTE technology – now offered on virtually every Chevrolet sold in the U.S. – though global product development director Mark Reuss told TheDetroitBureau.com that GM will not allow access to core vehicle controls, such as engine and transmission software. But experts warn that hackers could find ways to bypass such firewalls.
(Terrorists could use autonomous vehicles as car bombs, expert warns. For more, Click Here.)
That concern was underscored when GM last year had to rush out an update for a smartphone app that could allow a hacker to start the engine and unlock the doors on the Chevrolet Volt plug-in hybrid.
Other recent automotive cyber-security problems include:
- A weakness that could allow hackers to attack BMW, Mini and Rolls-Royce vehicles triggered the February 2015 recall of 2.2 million vehicles;
- A flaw that allowed two “white hat” hackers to gain control of a Jeep Cherokee’s steering, transmission and brakes, remotely forcing it off the road. That also led to a recall;
- A security weakness in a smartphone app for the Nissan Leaf battery car this past month forced the Japanese maker to disable the app until a fix can be re-programmed.
The cyber-security problem is expected to grow even more serious as manufacturers start rolling out semi- and fully autonomous vehicles. Tesla itself issued a patch to address some concerns shortly after the launch of its AutoPilot system.
During the recent South-by-Southwest conference in Austin, Texas, one security expert went so far as to warn terrorists could take advantage of security issues, among other things using autonomous vehicles as car bombs.
“While not all hacking incidents may result in a risk to safety – such as an attacker taking control of a vehicle – it is important that consumers take appropriate steps to minimize risk,” said the FBI/NHTSA bulletin.
(Ford, GM betting big on autonomous technology. Click Here for more.)
The bulletin warns that owners could provide an easy path of entry for hackers, even if they can’t directly gain access to vehicles. A common trick has been to reach out to consumers by warning them of alleged security or functional problems with their computers. If a user falls for the scam, hackers then load software with hidden back doors or other security breaches.
The same method could be exploited with vehicle owners, the FBI bulletin said, noting motorists, “could be tricked into clicking links to malicious Web sites or opening attachments containing malicious software.”
Several automakers have offered legitimate updates for their vehicles – Ford, for example, revised its Sync technology two years ago, allowing owners to install the updates by plugging in a factory-supplied thumb drive.
Two industry trade groups, the Alliance of Automobile Manufacturers and the Association of Global Automakers have set up a new Information Sharing and Analysis Center to serve as a clearinghouse for research and information on automotive cyber-security.
(To see more about Uber’s alleged purchase of 100,000 Mercedes S-Class sedans, Click Here.)
An FBI spokesperson said the bulletin was meant to serve as a public service announcement to increase consumer awareness.