Vehicle hacking might just be the crime of the future. Vulnerabilities always exist if a vehicle connects to service using internal telematics or other devices that connect using an OBDII port, USB connection or over Bluetooth. All of these entry points are potential ay be possible for an attacker to remotely exploit these vulnerabilities and gain access to the vehicle’s controller network or to data stored on the vehicle.
Although vulnerabilities may not always result in an attacker being able to access all parts of the system, the safety risk to consumers could increase significantly if the access involves the ability to manipulate critical vehicle control systems.
1. Ensure your vehicle’s software is up to date
If a manufacturer issues a notification that a software update is available, it is important that the consumer take appropriate steps to verify the authenticity of the notification and take action to ensure that the vehicle system is up to date. If manufacturers regularly make software updates for vehicles available online, it is possible that criminals may exploit this delivery method. A criminal could send socially engineered e-mail messages to vehicle owners who are looking to obtain legitimate software updates. Instead, the recipients could be tricked into clicking links to malicious Web sites or opening attachments containing malicious software (malware). The malware could be designed to install on the owner’s computer, or be contained in the vehicle software update file, so as to be introduced into the owner’s vehicle when the owner attempts to apply the update via USB. According to the FBI and NHTSA, an attacker could attempt to mail vehicle owners USB drives containing a malicious version of a vehicle’s software.
2. Be careful when making any modifications to vehicle software
Making modifications to the software to improve the performance of a car or truck can open up attack because the “controlled” or “tuner” could prevent the system from updates. Also, the tool can be hacked and used to install malware on a vehicle.
3. Be careful what you plug into a vehicle
All vehicles made since 1996 feature a standardized OBD-II port, which provides some level of connectivity to the in-vehicle communication networks. There has been a significant increase in the availability of third-party devices that can be plugged directly into the diagnostic port. These devices, which may be designed independent of the vehicle manufacturer, include insurance dongles and other telematics and vehicle monitoring tools. The security of these devices is important as it can provide an attacker with a means of accessing vehicle systems and driver data remotely.
While in the past accessing automotive systems through this OBD-II port would typically require an attacker to be physically present in the vehicle, it may be possible for an attacker to indirectly connect to the vehicle by exploiting vulnerabilities in these aftermarket devices through a smartphone. Vehicle owners should check with the security and privacy policies of the third-party device manufacturers and service providers, and they should not connect any unknown or un-trusted devices to the OBD-II port.
Be careful when using USB devices that plug into the vehicle. Malware can enter into the infotainment through a USB stick. Since most vehicles do not have anti-virus programs, it is up to the user to make sure the stick is clean.
4. Be aware of who has physical access to your vehicle
In much the same way as you would not leave your personal computer or smartphone unlocked, in an unsecured location, or with someone you don’t trust, it is important that you maintain awareness of those who may have access to your vehicle. Often an attacker will connect to the vehicle to find the key codes and identification information so a key can be cloned and stolen at a later date.