It's Time to Pay Attention to Connected Car Cyber-Threats
But there are third-party devices available, including some provided by insurance companies, that may not be so well-protected. "While in the past accessing automotive systems through this OBD-II port would typically require an attacker to be physically present in the vehicle, it may be possible for an attacker to indirectly connect to the vehicle by exploiting vulnerabilities in these aftermarket devices," the FBI said in the warning document. "Vehicle owners should check with the security and privacy policies of the third-party device manufacturers and service providers and they should not connect any unknown or un-trusted devices to the OBD-II port." Of course, there are other vulnerabilities that are better known, including the basic control software in today's vehicles. That's the software that was hacked last year when two security researchers took over the controls of a Jeep.For its part, NHTSA has been working to stay abreast of the vehicle cyber-security issue for several years. "Applied to vehicles, cyber-security takes on an even more important role: systems and components that govern safety must be protected from malicious attacks, unauthorized access, damage, or anything else that might interfere with safety functions," the agency said in a statement of the current status of vehicle security. "For these reasons, vehicle cyber-security was never an afterthought for NHTSA," the statement continued. "In exploring the potential of connected vehicles and other advanced technologies, NHTSA remained aware that cyber-security would be essential to the public acceptance of vehicle systems and to the safety technology they governed." The challenge to preventing exploits of vehicle computers is their very invisibility. Most cars made in the past decade have multiple computers linked by on-board local area networks. Many of those networks have a gateway to the outside world, and unless it's kept up to date, that gateway is vulnerable to hacking. Once hacked, the vehicle's network is open to the world and whoever breaks in can have their way with it. While some of us (like me) are too cheap to buy a completely connected car, and thus don't have to worry about an actual take-over, most of us are in a position to have our private information, including where we went and when, stolen by a hacker. And since your car manufacturer can't update you remotely, unless you own a Tesla, you have to ask for that to be done when you take your car in for service. Car dealers can update your software and it's nearly always free, but don't count on their suggesting it.
While that software has been patched since then, the report notes that keeping your car's software up to date is critical. Likewise, modifying that software as is done by some hobbyists and tuner shops, can introduce vulnerabilities that the vehicle manufacturer can't foresee.