Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/18/2016
04:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Feds Urge Caution On Aftermarket Devices That Plug Into Vehicle Diagnostic Ports

Vulnerabilities in such products could give attackers a way to access and control critical vehicle systems, the FBI, DOT, and NHTSA warn.

Most of us are unlikely to consider that connecting a cell phone via USB to our cars or sticking an aftermarket remote starter in the diagnostic port under the steering wheel could pose a threat to privacy and safety. Turns out it may be time to start thinking about it.

The same technologies that are making vehicles increasingly smarter and more connected are also opening them to new threats, the FBI, the Department of Transportation, and the National Highway Traffic Safety Administration said in a somewhat unusual public service announcement Thursday.

The alert highlights several concerns that have been aired previously about attacks that allow malicious hackers to gain remote control over vehicle functions by exploiting weaknesses in wireless communications technologies. Not all of the security issues pose a threat to driver safety – some flaws, for instance, expose vehicle and driver data to theft, the FBI and others said.

One example it points to is a demonstration last year where security researchers showed how they could exploit a Jeep Wrangler’s cellular connectivity and an optionally enabled Wi-Fi hotspot communication to remotely control the vehicle’s steering, braking, door locks, ignition, and other functions. The demonstration resulted in Fiat Chrysler recalling some 1.5 million vehicles to mitigate the vulnerability.

What’s interesting about the alert is its focus on aftermarket vehicle technologies as posing a potential threat to vehicle owners.

Vulnerabilities can exist not just in a vehicle’s communications functions but also in third-party aftermarket devices that connect to the vehicle’s Onboard Diagnostics port (OBD-II), the FBI warned.

All cars manufactured since 1996 have a standard Onboard Diagnostic Port (OBD-II) that allows service technicians and others a quick way to access information on the status of various vehicle systems and to enable emissions tests.

Recently, there has been a significant increase in the number of aftermarket products that can be plugged directly into the ODB-II port, the alert said. As one example it pointed to the dongles that some insurance companies have been issuing to drivers for monitoring their driving habits in exchange for a potential discount on premiums.

But there are a slew of other products as well, including remote starters, infotainment systems, engine and vehicle performance monitoring gadgets, and fleet maintenance technologies. A Frost & Sullivan analyst, writing in Searchautoparts.com last year, predicted that the size of the market for such products would reach around $1 billion by 2020.

Many of the products are wireless-enabled and can be accessed and managed via smartphones and tablets. Drivers, for instance, can use their smartphones to control the remote-starter or infotainment system plugged into the diagnostic port or to receive information like tire pressure and engine performance warning from OBD-II enabled telematics systems.

This means that a malicious hacker no longer needs physical access to the OBD-II port in order to have potential access to the various electronic control units in vehicles, including those controlling acceleration, braking and steering, the FBI alert warned.

Third-party devices connected to the vehicle via the OBD port can introduce vulnerabilities by enabling connectivity where none existed previously, it said. “While manufacturers attempt to limit the interaction between vehicle systems, wireless communications, and diagnostic ports, these new connections to the vehicle architecture provide portals through which adversaries may be able to remotely attack the vehicle controls and systems,” the alert said.

The recommendations that the FBI has for mitigating vehicle cybersecurity risks are similar to its recommendations for protecting computers against malware and other threats. For instance, it wants vehicle owners to always install any software updates that the manufacturer issues, but to make sure to verify the authentication of the update before installing it. Customers of car manufacturers that issue regular updates online need to watch out for phishing scams and other social engineering tricks where attackers try to get vehicle owners to install malware on their vehicles.

The alert urged vehicle owners to verify all recall notices by checking on the manufacturer’s website. It also urged drivers to avoid downloading software from third-party websites and to ensure that all downloads are made on a trusted USB or storage device before transferring it to the vehicle.

Making modifications to software that have not been recommended by the vehicle manufacturer is generally a bad idea because it could introduce safety and security risks, the FBI and others said.

Related Content:

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
geeksquadsupport
50%
50%
geeksquadsupport,
User Rank: Apprentice
5/29/2018 | 8:22:13 AM
Blogs to write
At present reading and posting, blogs are very common and are trending. These sites are very helpful to learn our own blogs and tips. for more visit 

https://geeksquadtechsupport.co/
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Now this is the worst micromanagment I've seen.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17210
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
CVE-2019-12934
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
CVE-2019-9229
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address 169.254.254.253 allows attackers in the local network to access multiple quagga VTYs. Attackers can...
CVE-2019-12815
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
CVE-2019-13569
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.