By Jim Gorzelany, FORBES
December 1, 2020
Though it’s still not a widespread issue, there remains a growing possibility that your car could be hacked by a cybercriminal in the not-too-distant future. A full 50 million connected vehicles were shipped last year and that number is expected to grow exponentially when 2020 figures are calculated.
According to the Federal Bureau of Investigation, any vehicle that can send or receive an electronic signal—whether it’s built-in Wi-Fi connectivity, Internet radio reception, or a keyless entry, ignition control, or tire pressure monitoring system—can be hacked by cyber criminals. The FBI says hackers have been able to use this electronic gateway to remotely disable the engine, brakes, and steering at low speeds, and operate other key systems at any speed.
In addition, hackers have found ways to tap into devices plugged into onboard diagnostic ports, car-based smartphone apps, and telematics systems like General Motors’ OnStar and FCA’s Uconnect.
A study recently conducted by the nonprofit group Consumer Watchdog indicates that many of today’s top-selling vehicles are especially vulnerable to hackers. That’s largely because they come with features that allow Internet connectivity to key safety systems that cannot be disabled. “The 2020 fleet is wired for remote start options that connect to safety critical systems wirelessly and leave these cars vulnerable to fleet wide hacks,” says Jamie Court, president of Consumer Watchdog. “The remote start capability is accessed through the same digital systems that control steering, acceleration, and braking — potentially giving hackers control over those as well.”
To demonstrate how vulnerable some models can be in this regard, Consumer Watchdog’s researchers created a box that enabled them to hack into a Tesla Model S. They were able to take over the vehicle’s command screen and send signals to it that mimicked messages that would otherwise come directly from the automaker. Once connected the group says it would be easy for a hacker to suggest malware be downloaded into the system, potentially being able to control or even sabotage the vehicle remotely.
As a result, the group concluded that Teslas are currently “the world’s most hackable cars.” Consumer Watchdog also looked at some of the most popular new cars, truck, and SUVs and determined that each of them could potentially be susceptible to a large-scale cyber-attack, given their wireless connectivity systems and remote-start capabilities. These include:
- Ford F-150
- Dodge Ram 1500
- Chevrolet Silverado
- Toyota RAV4
- Honda CR-V
- Nissan Rogue
- Chevrolet Equinox
- Toyota Camry
- Honda Civic
- Toyota Corolla
If you own a late-model vehicle with built-in connectivity, security experts suggest making sure the vehicle’s software is up to date. Automakers often provide links on their websites that enable owners to download the software onto flash drives that would be connected to a vehicle’s USB port for uploading. Sometimes such updates can be loaded onto SD memory cards for updating via the vehicle’s navigation system.
But never install entertainment software or diagnostic devices to the car that do not come from the manufacturer. Beware of “spoofed” emails with links to software updates that look like they may come from an automaker, but are in fact sent by criminals. What you’ll download instead would be malicious malware.
You should be especially wary of installing an aftermarket device into your car’s onboard diagnostic port (OBD). That’s because the interface can be used as a gateway for hackers to illegally obtain data or otherwise manipulate the vehicle’s functions.
For its part the FBI says vehicle owners should check with the security and privacy policies of a device’s manufacturer and service provider before installing any third-party device to the OBD connection. Never connect an unknown or un-trusted device, and only purchase devices from reputable sources. Be especially wary of those sold secondhand or via an Internet classified listing service.
Follow me on Twitter or LinkedIn.