Hackers Cut Brakes Via a Common Car Gadget

CAR HACKING DEMOS like last month’s over-the-internet hijacking of a Jeep have shown it’s possible for digital attackers to cross the gap between a car’s cellular-connected infotainment system and its steering and brakes. But a new piece of research suggests there may be an even easier way for hackers to wirelessly access those critical driving functions: Through an entire industry of potentially insecure, internet-enabled gadgets plugged directly into cars’ most sensitive guts.

At the Usenix security conference today, a group of researchers from the University of California at San Diego plan to reveal a technique they could have used to wirelessly hack into any of thousands of vehicles through a tiny commercial device: A 2-inch-square gadget that’s designed to be plugged into cars’ and trucks’ dashboards and used by insurance firms and trucking fleets to monitor vehicles’ location, speed and efficiency. By sending carefully crafted SMS messages to one of those cheap dongles connected to the dashboard of a Corvette, the researchers were able to transmit commands to the car’s CAN bus—the internal network that controls its physical driving components—turning on the Corvette’s windshield wipers and even enabling or disabling its brakes.

“We acquired some of these things, reverse engineered them, and along the way found that they had a whole bunch of security deficiencies,” says Stefan Savage, the University of California at San Diego computer security professor who led the project. The result, he says, is that the dongles “provide multiple ways to remotely…control just about anything on the vehicle they were connected to.”

In the video the researchers demonstrate their proof-of-concept attacks on a 2013 Corvette, messing with its windshield wipers and both activating and cutting its brakes. Though the researchers say their Corvette brake tricks only worked at low speeds due to limitations in the automated computer functions of the vehicle, they say they could have easily adapted their attack for practically any other modern vehicle and hijacked other critical components like locks, steering or transmission, too.

The device that the UCSD researchers exploited for those attacks was a so-called OBD2 dongle built by the France-based firm Mobile Devices, but distributed by corporate customers like the San Francisco-based insurance startup Metromile. Metromile, the only one of those corporate distributors whose devices the researchers fully analyzed, is an insurance company that gives its customers the cellular-enabled devices, branded as the Metromile Pulse, to plug into a port on their dashboards as a means of tracking cars and charging drivers on a per-mile basis. The company has even partnered with Uber to offer the devices to its contract drivers as part of a discount insurance program.

The UCSD researchers say they first contacted Metromile about the dongle’s vulnerability in June, and the insurance firm tells WIRED it responded with a security patch delivered wirelessly to the Internet-connected gadgets. “We took this very seriously as soon as we found out,” Metromile CEO Dan Preston said in a phone interview. “Patches have been sent to all the devices.” Preston says the security update was created by Mobile Devices, and Metromile then transmitted it over the air to customers.

Uber also says its drivers’ Metromile gadgets have been updated and are no longer vulnerable. “No drivers reported any problems related to this issue prior to the fix, and we are not aware of any remaining exposure,” an Uber spokesperson wrote in an email.

Agency encourages vehicle owners to check their VIN number on website

NHTSA 33-15
Wednesday, June 17, 2015
Contact: Gordon Trowbridge, 202-366-9550, Public.Affairs@dot.gov

Agency encourages vehicle owners to check their VIN number on website

WASHINGTON – The U.S. Department of Transportation’s National Highway Traffic Safety Administration (NHTSA) announced today that all vehicle identification numbers affected by the massive Takata air bag recall are loaded into the agency’s search system. The recall involves 11 auto manufacturers and roughly 34 million vehicles.

“An informed consumer is one of our strongest allies in ensuring recalled vehicles are repaired, said U.S. Transportation Secretary Anthony Foxx. “NHTSA’s VIN search tool at safercar.gov makes it easy for consumers to check if their vehicle is affected by the recall, and to take action in getting the air bags replaced.”

Last month Takata announced a national recall of certain types of driver and passenger side air bag inflators. These inflators were made with a propellant that can degrade over time and has led to ruptures that have been blamed for seven deaths and more than 100 injuries worldwide. The recall is one of the largest and most complex product recalls in history.

“As this recall progresses, NHTSA will organize and prioritize the replacement of the defective air bag inflators to ensure that defective inflators are replaced with safe ones as quickly as possible,” said NHTSA Administrator Mark Rosekind.

The agency has established a new website, SaferCar.gov/RecallsSpotlight, to provide regular updates on the status of this and other recalls of high interest.

Below are additional tools and tips from the nation’s auto safety agency:

• Register Your Cars, Tires and Car Seats: Receive NHTSA email notifications when the manufacturer files the recall with the federal government. There is no way to locate or notify individual owners of car seats or tires if the product is not registered with the manufacturer or NHTSA.
• Receive recall alerts on Apple devices, Android devices, or Email.
• Check NHTSA’s New Car Assessment Program (NCAP) 5-Star Ratings System when considering purchasing a new or used vehicle.

Stay connected with NHTSA: Search for open recalls with VIN look up | Download the Safercar Mobile App for Apple or Android devices | Receive recall alerts by email | Visit us on Facebook.com/NHTSA | Follow us on Twitter.com/NHTSAgov | Watch 5-Star Safety Ratings crash tests on YouTube.com/USDOTNHTSA | SaferCar.gov

Self-Driving Cars Are Already Getting Into Accidents

Self-driving cars have been hailed as The Next Great Solution for Not Getting Killed, and autonomous vehicles could potentially drastically reduce accidents by minimizing opportunities for human error. Someday. As of now, 8% of the self-driving cars on the road in California have been in collisions.

Four out of the roughly 50 unmanned cars driving around California have been in accidents since receiving permits to test in September. Three of the cars were Lexus SUVs, part of Google’s self-driving car program, and one was a testing car from Delphi, another autonomous car maker.

Two accidents happened while the cars were in control; in the other two, the person who still must be behind the wheel was driving, a person familiar with the accident reports told The Associated Press.

So far, the accident rate looks high compared with regular old dumb cars, as the Chicago Tribune pointed out.

The national rate for reported “property-damage-only crashes” is about 0.3 per 100,000 miles driven, according to data from the National Highway Traffic Safety Administration.

In that context, Google’s three in about 140,000 miles may seem high.

Uh, yeah.

The concept of self-driving cars heralding an era of safer transportation only works if the cars can drive better than people. Now, none of these accidents were serious, and of course there will be kinks that need to be worked out while self-driving vehicles are in testing mode. And, as Google told reporters, the disparity between its crash record and the national average may be smaller than it looks, since lots of people don’t report minor collisions.

Still, 4 out of 50 cars getting into accidents is an unsettlingly high percentage, and it underscores how patchy automated car technology still is, especially when these futuristic vehicles are driving around our imperfect streets.

[Chicago Tribune]

BMW Settles FTC Charges that Its MINI Division Illegally Conditioned Warranty Coverage on Use of Its Parts and Service

March 19, 2015

BMW of North America LLC has agreed to settle Federal Trade Commission charges that its MINI Division violated the Magnuson-Moss Warranty Act by telling consumers that BMW would void their warranty unless they used MINI parts and MINI dealers to perform maintenance and repair work.

In an administrative complaint, the FTC alleged that BMW, through its MINI Division, violated a provision in the Warranty Act that prohibits companies from requiring that consumers – in order to maintain their warranties – use specific brands of parts or specified service centers (unless the part or service is provided to the consumer without charge).

“It’s against the law for a dealer to refuse to honor a warranty just because someone else did maintenance or repairs on the car,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “As a result of this order, BMW will change its practices and give MINI owners information about their rights.”

The proposed order settling the FTC’s complaint prohibits BMW from violating the Warranty Act and the FTC Act in connection with any MINI Division good or service. The settlement also:

• bars BMW, in connection with the sale of any MINI Division good or service, from representing that, to ensure a vehicle’s safe operation or maintain its value, owners must have routine maintenance performed only by MINI dealers or MINI centers, unless the representation is true and BMW can substantiate it with reliable scientific evidence; and
• requires BMW to provide affected MINI owners with information about their right to use third-party parts and service without voiding warranty coverage, unless BMW provides such parts or services for free.

Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk

The newest models of connected cars come with everything from built-in navigation and entertainment systems to roadside assistance. While these features might make life behind the wheel a little easier, a new report found that not enough has been done to adequately protect those components from hackers.

The Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk report [PDF], released by Massachusetts Senator Ed Markey, is based on the responses of 16 major automakers about how vehicles may be vulnerable to hackers, and how driver information is collected and protected.

“These findings reveal that there is a clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle or against those who may wish to collect and use personal driver information,” the report states.

The manufacturers participating in the report include BMW, Chrysler, Ford, General Motors, Honda, Hyundai, Jaguar Land Rover, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Toyota, Volkswagen (with Audi), and Volvo. Letters were sent to Aston Martin, Lamborghini and Tesla, none of which responded.

According to the report, today’s cars and light trucks contain more than 50 separate electronic control units connected through a controller area network or other network. Vehicle functionality, safety and privacy all depend on the functions of these units, as well as their ability to communicate with one another.

Although such technological features can prove helpful to consumers, past tests conducted by manufacturers and industry groups have found the features also create vulnerabilities to hacking attacks that could be used to modify the operation of a vehicle.

Last year, in a Defense Department-funded test on a 2012 model American-made car, hackers demonstrated they could create the electronic equivalent of a skeleton key to unlock the car’s networks.

Markey’s report found that nearly 100% of vehicles on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusion.

While most companies were unaware of, or unable to report on, any past hacking incidents, the report found that security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across the different manufacturers.

Security experts consulted for the report say that hackers could get around most security protections currently cited by manufacturers.

In fact, only two automakers were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real-time, and most said they rely on technologies that cannot be used for this purpose at all.

Markey’s report also raised concerns about privacy, noting that automakers collect and use large amounts of driving data.

“Such information-gathering abilities can be used by automobile manufacturers to provide customized service and improve customer experiences, but in the wrong hands such information could also be used maliciously,” the report states.

The report found that most often customers are “not explicitly made aware of data collection and, when they are, they often cannot opt out without disabling valuable features.”

Manufacturers reported using such personal vehicle data information in various ways, often vaguely to “improve the customer experience.”

A majority of manufacturers reported storing driver data with third-parties.

Twelve manufacturers reported they stored driving history information in some of their vehicles, depending on the features the vehicle is equipped with. Of those manufacturers eight said they transmit and store data in a server off-board the vehicle.

According to the report, these findings reveal that a majority of automakers transmit data to third parties. Additionally, most manufacturers did not describe effective means to secure the information.

While 19 auto manufacturers agreed to a voluntary set of privacy principles in an attempt to address some privacy concerns last fall, the report suggests those measures aren’t enough.

“These principles send a meaningful message that automobile manufacturers are committed to protection consumer privacy,” the report states. “However, the impact of these principles depend in part on how manufacturers interpret them, because the specific ways transparency will be achieved are unclear and may not be noticed by the consumer, the provisions regarding choice for the consumer only addressed data sharing and do not refer to data collection in the first place, and the guidelines for data use, security, and accountability largely leave these matters to the discretion of the manufactures.”

To ensure consumer data and vehicles are throughly safeguarded, Markey called on the National Highway Traffic Safety Administration and the Federal Trade Commission to create new standards to protect consumer data, security and privacy of drivers.

Such standards should:
• Ensure that vehicles with wireless access points and data-collection features are protected against hacking events and security breaches;
• Validate security systems using penetration testing;
• Include measures to respond in real-time to hacking events;
• Require that drivers are made explicitly aware of data collection, transmission and use;
• Ensure that drivers are given the option to opt out of data collection and transfer of driver information to off-board storage;
• Require removal of personally identifiable information prior to transmission, when possible and upon consumer request.

“Drivers have come to rely on these new technologies, but unfortunately the automakers haven’t done their part to protect us from cyber-attacks or privacy invasions. Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected,” Markey, a member of the Commerce, Science and Transportation Committee, said in a statement. “We need to work with the industry and cyber-security experts to establish clear rules of the road to ensure the safety and privacy of 21st-century American drivers.”