Go to top of page

Internet connected cars increasingly vulnerable to hacking attacks

Priority Level: 
Moderate
21 March 2016

Consumers should be aware that newer motor vehicles may be vulnerable to remote attacks by criminals, according to a public service announcement issued last week in the United States.

These vehicles typically feature connected technologies designed to improve safety, fuel economy and convenience, and may incorporate 'aftermarket' devices to monitor car performance. However, this increased connectivity may present new opportunities for criminals to access sensitive data and systems.

The US Federal Bureau of Investigation, the Department of Transportation and the National Highway Traffic Safety Administration warned that consumers should take 'appropriate steps' to 'minimise the risk' of criminals gaining access to vehicle systems to retrieve data or manipulate vehicle functionality.

The move follows a voluntary safety recall in the US in 2015 of 1.4 million Fiat Chrysler automobiles to apply security measures after security researchers reportedly found a vulnerability that allowed them to access the cars' internal systems.

In 2014, Queensland University of Technology Professor Andry Rakotonirainy warned of the risk of hacking of autonomous, or self-driving, and internet connected cars. 'The security protection on cars is virtually non-existent, it is at a level of protection that a desktop computer system had in the 1980s, the basic security requirements such as authentication, confidentiality and integrity are not strong,' he said.

According to the US agencies, criminals may attack vehicle systems through vulnerabilities in wireless communications systems, mobile devices such as mobile phones connected to a vehicle through USB, Bluetooth or WiFi, or within a third-party device connected through a vehicle's diagnostic port.

Electronic control units that manage functions including steering, braking and acceleration, plus vehicle components with wireless capability, such as tyre pressure monitors, ignition control and entertainment systems, are among the systems potentially accessible to attackers.

Staying safe

The announcement advises consumers to remain aware of the latest recalls and updates involving their motor vehicles (including any actions undertaken in response to security problems). Motor vehicle manufacturers also typically notify vehicle owners of issues and remedies.

Consumers should also ensure their vehicle software is up to date, including verifying the authenticity of update notifications from vehicle manufacturers.

'As a note of caution, if manufacturers regularly make software updates for vehicles available online, it is possible that criminals may exploit this delivery method,' the announcement advises. 'A criminal could send socially engineered e-mail messages to vehicle owners who are looking to obtain legitimate software updates. Instead, the recipients could be tricked into clicking links to malicious websites or opening attachments containing malicious software.'

Owners should also be aware that making unauthorised modifications to vehicle software can introduce vulnerabilities that can be exploited by an attacker, the advisory warns. They should also maintain awareness and exercise discretion with connecting third-party devices to their vehicles. Further, they should be aware of the people who have physical access to their vehicles.

Stay Smart Online recommends owners of modern motor vehicles in Australia follow this advice and contact your car dealer or manufacturer with any questions or concerns.

More information

The MyNRMA service has an article about how hackers can track down and control a car.

More information about online safety is available on the Stay Smart Online website.

The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.