Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/18/2016
04:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Feds Urge Caution On Aftermarket Devices That Plug Into Vehicle Diagnostic Ports

Vulnerabilities in such products could give attackers a way to access and control critical vehicle systems, the FBI, DOT, and NHTSA warn.

Most of us are unlikely to consider that connecting a cell phone via USB to our cars or sticking an aftermarket remote starter in the diagnostic port under the steering wheel could pose a threat to privacy and safety. Turns out it may be time to start thinking about it.

The same technologies that are making vehicles increasingly smarter and more connected are also opening them to new threats, the FBI, the Department of Transportation, and the National Highway Traffic Safety Administration said in a somewhat unusual public service announcement Thursday.

The alert highlights several concerns that have been aired previously about attacks that allow malicious hackers to gain remote control over vehicle functions by exploiting weaknesses in wireless communications technologies. Not all of the security issues pose a threat to driver safety – some flaws, for instance, expose vehicle and driver data to theft, the FBI and others said.

One example it points to is a demonstration last year where security researchers showed how they could exploit a Jeep Wrangler’s cellular connectivity and an optionally enabled Wi-Fi hotspot communication to remotely control the vehicle’s steering, braking, door locks, ignition, and other functions. The demonstration resulted in Fiat Chrysler recalling some 1.5 million vehicles to mitigate the vulnerability.

What’s interesting about the alert is its focus on aftermarket vehicle technologies as posing a potential threat to vehicle owners.

Vulnerabilities can exist not just in a vehicle’s communications functions but also in third-party aftermarket devices that connect to the vehicle’s Onboard Diagnostics port (OBD-II), the FBI warned.

All cars manufactured since 1996 have a standard Onboard Diagnostic Port (OBD-II) that allows service technicians and others a quick way to access information on the status of various vehicle systems and to enable emissions tests.

Recently, there has been a significant increase in the number of aftermarket products that can be plugged directly into the ODB-II port, the alert said. As one example it pointed to the dongles that some insurance companies have been issuing to drivers for monitoring their driving habits in exchange for a potential discount on premiums.

But there are a slew of other products as well, including remote starters, infotainment systems, engine and vehicle performance monitoring gadgets, and fleet maintenance technologies. A Frost & Sullivan analyst, writing in Searchautoparts.com last year, predicted that the size of the market for such products would reach around $1 billion by 2020.

Many of the products are wireless-enabled and can be accessed and managed via smartphones and tablets. Drivers, for instance, can use their smartphones to control the remote-starter or infotainment system plugged into the diagnostic port or to receive information like tire pressure and engine performance warning from OBD-II enabled telematics systems.

This means that a malicious hacker no longer needs physical access to the OBD-II port in order to have potential access to the various electronic control units in vehicles, including those controlling acceleration, braking and steering, the FBI alert warned.

Third-party devices connected to the vehicle via the OBD port can introduce vulnerabilities by enabling connectivity where none existed previously, it said. “While manufacturers attempt to limit the interaction between vehicle systems, wireless communications, and diagnostic ports, these new connections to the vehicle architecture provide portals through which adversaries may be able to remotely attack the vehicle controls and systems,” the alert said.

The recommendations that the FBI has for mitigating vehicle cybersecurity risks are similar to its recommendations for protecting computers against malware and other threats. For instance, it wants vehicle owners to always install any software updates that the manufacturer issues, but to make sure to verify the authentication of the update before installing it. Customers of car manufacturers that issue regular updates online need to watch out for phishing scams and other social engineering tricks where attackers try to get vehicle owners to install malware on their vehicles.

The alert urged vehicle owners to verify all recall notices by checking on the manufacturer’s website. It also urged drivers to avoid downloading software from third-party websites and to ensure that all downloads are made on a trusted USB or storage device before transferring it to the vehicle.

Making modifications to software that have not been recommended by the vehicle manufacturer is generally a bad idea because it could introduce safety and security risks, the FBI and others said.

Related Content:

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
geeksquadsupport
50%
50%
geeksquadsupport,
User Rank: Apprentice
5/29/2018 | 8:22:13 AM
Blogs to write
At present reading and posting, blogs are very common and are trending. These sites are very helpful to learn our own blogs and tips. for more visit 

https://geeksquadtechsupport.co/
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13157
PUBLISHED: 2019-11-22
nsGreen.dll in Naver Vaccine 2.1.4 allows remote attackers to overwrite arbitary files via directory traversal sequences in a filename within nsz archive.
CVE-2012-2079
PUBLISHED: 2019-11-22
A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal.
CVE-2019-11325
PUBLISHED: 2019-11-21
An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.
CVE-2019-18887
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.
CVE-2019-18888
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. T...