The FBI and US National Highway Traffic Safety Administration (NHTSA) issued a bulletin on Thursday warning that motor vehicles are “increasingly vulnerable” to hacking.
“The FBI and NHTSA are warning the general public and manufacturers – of vehicles, vehicle components, and aftermarket devices – to maintain awareness of potential issues and cybersecurity threats related to connected vehicle technologies in modern vehicles,” the agencies said in the bulletin.
In July 2015, Fiat Chrysler Automobiles NV recalled 1.4 million US vehicles to install software after a magazine report raised concerns about hacking, the first action of its kind for the auto industry.
Also last year, General Motors Co issued a security update for a smartphone app that could have allowed a hacker to take control of some functions of a plug-in hybrid electric Chevrolet Volt, like starting the engine and unlocking the doors.
In January 2015, BMW AG said it had fixed a security flaw that could have allowed up to 2.2 million vehicles to have doors remotely opened by hackers.
“While not all hacking incidents may result in a risk to safety – such as an attacker taking control of a vehicle – it is important that consumers take appropriate steps to minimize risk,” the FBI bulletin said Thursday.
NHTSA Administrator Mark Rosekind told reporters in July 2015 that automakers must move fast to address hacking issues.
The Fiat Chrysler recall came after Wired magazine reported hackers could remotely take control of some functions of a 2014 Jeep Cherokee, including steering, transmission and brakes. NHTSA has said there has never been a real-world example of a hacker taking control of a vehicle.
Two major US auto trade associations – the Alliance of Automobile Manufacturers and Association of Global Automakers – late last year opened an Information Sharing and Analysis Center. The groups share cyber-threat information and potential vulnerabilities in vehicles.
The FBI bulletin Thursday warned that criminals could exploit online vehicle software updates by sending fake “e-mail messages to vehicle owners who are looking to obtain legitimate software updates. Instead, the recipients could be tricked into clicking links to malicious Web sites or opening attachments containing malicious software.”