When I bought a car back in February, one of the things I hadn’t realized until I sat down to read the owner’s manuals was that I was now in possession of a connected car.
As I went through the section about the entertainment system and the emergency help system, I realized that, among other things, my car had its own Verizon Wireless phone system built right in.
But this phone system wasn’t for me to make phone calls, except to the emergency operations center or to the company’s concierge service. It was mainly to allow the folks at the car company to communicate with my car. This meant that I could call a toll-free number and get my car unlocked.
But the connection went far beyond that. I could also connect to the Internet and get restaurant reviews and, then, automatically load the navigation information and get directions to the place.
I could get a call if the airbag ever went off so that the car company could send help. But if the car manufacturer could connect to my car, suppose somebody else could also do that and then unlock my car, or roll down the windows or perhaps start the engine.
The risk of cyber-attacks on motor vehicles has reached the point where the Federal Bureau of Investigation (FBI) and the National Highway Transportation Safety Administration (NHTSA) have now issued a warning about the vulnerabilities associated with connected cars.
The two agencies released an announcement on March 17 calling the public’s attention to the risks involved and providing some suggestions on how we should protect ourselves.
In one sense, I’m lucky that I was too cheap to splurge on the automatic parking feature that will interface the car’s computer with a series of sensors and to the steering, engine controls and brakes. Without that feature, a would-be hacker could roll down my windows, but at least, they couldn’t take over my car and drive it. I think.
What I didn’t think about is that there’s yet another wireless interface that exists on some cars that could expose private information, without the car’s owner ever being aware of it.
That wireless interface is based on the On Board Diagnostics II port that’s built into every modern vehicle. While that port itself isn’t wireless, there are now a wide variety of third-party devices that can be plugged into that port and which may or may not have good security.
In the warning announcement, the agencies recommend exercising discretion when connecting third-party devices to your car. An example of such a device is the Hum car tracking device, which provides connected car services to vehicles that don’t otherwise have that capability.
Fortunately, the Hum device doesn’t have the ability to unlock or start your car, and a company representative told me that they do have security protections in place.
It’s Time to Pay Attention to Connected Car Cyber-Threats
But there are third-party devices available, including some provided by insurance companies, that may not be so well-protected.
“While in the past accessing automotive systems through this OBD-II port would typically require an attacker to be physically present in the vehicle, it may be possible for an attacker to indirectly connect to the vehicle by exploiting vulnerabilities in these aftermarket devices,” the FBI said in the warning document.
“Vehicle owners should check with the security and privacy policies of the third-party device manufacturers and service providers and they should not connect any unknown or un-trusted devices to the OBD-II port.”
Of course, there are other vulnerabilities that are better known, including the basic control software in today’s vehicles. That’s the software that was hacked last year when two security researchers took over the controls of a Jeep.
While that software has been patched since then, the report notes that keeping your car’s software up to date is critical. Likewise, modifying that software as is done by some hobbyists and tuner shops, can introduce vulnerabilities that the vehicle manufacturer can’t foresee.
For its part, NHTSA has been working to stay abreast of the vehicle cyber-security issue for several years. “Applied to vehicles, cyber-security takes on an even more important role: systems and components that govern safety must be protected from malicious attacks, unauthorized access, damage, or anything else that might interfere with safety functions,” the agency said in a statement of the current status of vehicle security.
“For these reasons, vehicle cyber-security was never an afterthought for NHTSA,” the statement continued. “In exploring the potential of connected vehicles and other advanced technologies, NHTSA remained aware that cyber-security would be essential to the public acceptance of vehicle systems and to the safety technology they governed.”
The challenge to preventing exploits of vehicle computers is their very invisibility. Most cars made in the past decade have multiple computers linked by on-board local area networks.
Many of those networks have a gateway to the outside world, and unless it’s kept up to date, that gateway is vulnerable to hacking. Once hacked, the vehicle’s network is open to the world and whoever breaks in can have their way with it.
While some of us (like me) are too cheap to buy a completely connected car, and thus don’t have to worry about an actual take-over, most of us are in a position to have our private information, including where we went and when, stolen by a hacker. And since your car manufacturer can’t update you remotely, unless you own a Tesla, you have to ask for that to be done when you take your car in for service.
Car dealers can update your software and it’s nearly always free, but don’t count on their suggesting it.