In-brief: eight months after security researchers demonstrated a remote software-based attack against a Fiat-Chrysler Jeep Cherokee, the FBI has issued an advisory addressing software based risks to vehicles. But the Bureau has few fixes for the problem.
Eight months after security researchers demonstrated a remote software-based attack against a Fiat-Chrysler Jeep Cherokee, the FBI has issued an advisory addressing software based risks to vehicles. But the agency has few fixes for the problem, with connected vehicle technology set to take off.
The advisory, dated March 17, is titled “Motor Vehicles Increasingly Vulnerable to Remote Exploits,” mentions research conducted by Chris Valasek and Charlie Miller, and demonstrated at the Black Hat Briefings in August. While the vulnerabilities discovered by the two have been patched, “consumers and manufacturers are aware of the possible threats and how an attacker may seek to remotely exploit vulnerabilities in the future,” the FBI said.
In its advisory, the FBI warns consumers to be attentive to vehicle recalls tied to software vulnerabilities, such as the update distributed by Fiat Chrysler following the hack of its UConnect wireless technology. The company eventually recalled 1.4 million vehicles to address the software holes, which were deemed a threat to public safety. Customers had an option of having a patched version of the software installed at a dealer, or via a USB thumb drive shipped to owners of affected Fiat Chrysler vehicles.
The FBI said that consumers increasingly need to be attentive to such recalls, maintaining “awareness of the latest recalls and updates affecting their motor vehicles.” The FBI points consumers to safercar.gov, a web site of the National Highway Traffic Safety Administration (NHTSA) where vehicle owners can enter the Vehicle ID Number (VIN) of their car to see if any recalls apply to it.
Additionally, third-party aftermarket devices with Internet or cellular access plugged into diagnostics ports might also introduce wireless vulnerabilities, the Bureau warned.
The problem, of course, is that consumers have almost no ability to stop vehicle attacks in real-time. As it stands, vehicles have no built-in defenses against hacking or malicious software, though such products are in the works.
Beyond that: hardly any vehicles currently on the road sport over the air software updates that would make distributing and installing patched vehicle firmware easy. (The exceptions are high-end vehicles from Tesla, BMW and others.) Patching and updating software is largely the province of licensed automobile dealers.
[Read more Security Ledger coverage of connected vehicles here.]
And, while dealers are a fine platform for servicing mechanical issues with vehicles or addressing non-critical (and slow-moving) software related issues, but they’re not perfect. Craig Smith of OpenGarages (listen to my recent podcast with Craig here) this week demonstrated how the diagnostic machinery used to service vehicles in dealerships could be abused to spread malware to every vehicle they touch.
Smith has developed proof of concept code that could jump from an infected car (Patient 0) to attack repair shop computers used for diagnosis and from there to other cars serviced by the infected diagnostic equipment.
“These (mechanics) tool have the codes to read and write firmware and if it is compromised by a malicious car it can modify the firmware of other cars that come in afterwards,” Smith told the web site The Register this week.
Even if they’re not spreading infections to their patients, the dealership model is ill-suited to handle fast-moving, Internet-based software-related attacks that may affect thousands of vehicles instantaneously in a given region. Such attacks aren’t practical yet, but could be only years off, especially if after market protects to connect “dumb” vehicles catch on.
In fact, car owners have – for years – been actively discouraged from tinkering with even peripheral components of their vehicles for fear of “voiding the warranty.” That may be a significant hurdle in getting owners to take responsibility for the security of their own vehicles.
Finally, the FBI’s warning about after market products for vehicles is an empty one. Unlike the medical device field, where the Food and Drug Administration has the power to allow or prevent products from being sold, there is no regulator vetting third-party software for vehicles for safety, security or privacy protections. While consumers might learn of a balky or corrupted aftermarket product eventually, it is almost certain that such products will hit store shelf without any kind of quality or security review – at least as regards information security.
Changes are afoot. The NHTSA is funding research into securing software updates to vehicles. Lawmakers have also proposed outlawing “vehicle hacking,” though security experts agree that doing so wouldn’t stop individuals from trying to break the security of connected vehicles, and would just drive the work underground.