Ransomware for cars? FBI warns of malicious product recall alerts

  • Liam Tung (CSO Online)
  • 18 March, 2016 08:52

The next malicious attachment in your inbox might not be targeting your computer but your car via a rigged recall notice, the U.S. Federal Bureau of Investigations (FBI) has warned.

Malware-laced attachments have long been used by attackers as a means to credentials for a victim’s bank account or, in the case of ransomware, data captured by encryption that requires a payment of several hundred dollars to reinstate access.

But, with networked vehicles becoming mainstream and autonomous vehicles on the horizon, the Federal Bureau of Investigations (FBI) sees potential for criminals to exploit security and product recall notifications sent by car manufacturers.

The difference to today’s threats is that malware could just as easily target a computer or a vehicle it connects with in much the same way that a smartphone can be compromised via malware on the desktop.

“A criminal could send socially engineered e-mail messages to vehicle owners who are looking to obtain legitimate software updates. Instead, the recipients could be tricked into clicking links to malicious Web sites or opening attachments containing malicious software (malware),” the FBI said in a public service announcement (PSA).

“The malware could be designed to install on the owner’s computer, or be contained in the vehicle software update file, so as to be introduced into the owner’s vehicle when the owner attempts to apply the update via USB. Additionally, an attacker could attempt to mail vehicle owners USB drives containing a malicious version of a vehicle’s software.”

Other agencies worried about remote car hacking include the the PSA's co-authors, the Department of Transportation and the National Highway Traffic Safety Administration. All three are concerned that attacks on PCs and smartphones will migrate to the vehicle segment of the Internet of Things (IoT).

New car makers such as Tesla offer over-the-air (OTA) updates for its vehicles but traditional manufacturers, such as Ford, still deliver updates for some cars via USB drives.

USB attacks on cars would be novel, but it’s not a stretch to imagine methods used to compromise computers will be tweaked to infect computerised cars.

The FBI prefaced the alert with details of research from last year that demonstrated a remote attack on a Jeep model where core controls, such as the breaks, were commandeered from miles away by exploiting the vehicle’s electronic control unit (ECU). It fears security scares like these that result in product recalls could be used to exploit other vehicles.

The vehicle-equivalent of media players for browsers could also shape up to be a problem for car security in future.

“Third party aftermarket devices with Internet or cellular access plugged into diagnostics ports could also introduce wireless vulnerabilities,” the FBI said.

The malware warning comes amid a push by driverless car makers, including Google, for US lawmakers to create federal rules in the hope of accelerating the market for autonomous vehicles.

High Consequence Cyber Crime: The Crime of the Century

Organised criminals : Harness the power of analytics to detect breaches early and minimize their exposure.

Download NOW