CAR HACKING DEMOS like last month’s over-the-internet hijacking of a Jeep have shown it’s possible for digital attackers to cross the gap between a car’s cellular-connected infotainment system and its steering and brakes. But a new piece of research suggests there may be an even easier way for hackers to wirelessly access those critical driving functions: Through an entire industry of potentially insecure, internet-enabled gadgets plugged directly into cars’ most sensitive guts.
At the Usenix security conference today, a group of researchers from the University of California at San Diego plan to reveal a technique they could have used to wirelessly hack into any of thousands of vehicles through a tiny commercial device: A 2-inch-square gadget that’s designed to be plugged into cars’ and trucks’ dashboards and used by insurance firms and trucking fleets to monitor vehicles’ location, speed and efficiency. By sending carefully crafted SMS messages to one of those cheap dongles connected to the dashboard of a Corvette, the researchers were able to transmit commands to the car’s CAN bus—the internal network that controls its physical driving components—turning on the Corvette’s windshield wipers and even enabling or disabling its brakes.
“We acquired some of these things, reverse engineered them, and along the way found that they had a whole bunch of security deficiencies,” says Stefan Savage, the University of California at San Diego computer security professor who led the project. The result, he says, is that the dongles “provide multiple ways to remotely…control just about anything on the vehicle they were connected to.”
In the video the researchers demonstrate their proof-of-concept attacks on a 2013 Corvette, messing with its windshield wipers and both activating and cutting its brakes. Though the researchers say their Corvette brake tricks only worked at low speeds due to limitations in the automated computer functions of the vehicle, they say they could have easily adapted their attack for practically any other modern vehicle and hijacked other critical components like locks, steering or transmission, too.
The device that the UCSD researchers exploited for those attacks was a so-called OBD2 dongle built by the France-based firm Mobile Devices, but distributed by corporate customers like the San Francisco-based insurance startup Metromile. Metromile, the only one of those corporate distributors whose devices the researchers fully analyzed, is an insurance company that gives its customers the cellular-enabled devices, branded as the Metromile Pulse, to plug into a port on their dashboards as a means of tracking cars and charging drivers on a per-mile basis. The company has even partnered with Uber to offer the devices to its contract drivers as part of a discount insurance program.
The UCSD researchers say they first contacted Metromile about the dongle’s vulnerability in June, and the insurance firm tells WIRED it responded with a security patch delivered wirelessly to the Internet-connected gadgets. “We took this very seriously as soon as we found out,” Metromile CEO Dan Preston said in a phone interview. “Patches have been sent to all the devices.” Preston says the security update was created by Mobile Devices, and Metromile then transmitted it over the air to customers.
Uber also says its drivers’ Metromile gadgets have been updated and are no longer vulnerable. “No drivers reported any problems related to this issue prior to the fix, and we are not aware of any remaining exposure,” an Uber spokesperson wrote in an email.