Fast and vulnerable: Corvette hacked by SMS text
Researchers from the University of California have developed a new method to hack cars. By hacking into an insurance black box, the team control to the brakes and windscreen wipers of a 2013 Chevrolet Corvette using SMS text messages. Researchers say the method can be adapted to access to other systems such as transmission, steering and locks.
The researchers will show findings from their paper “
The researchers will show findings from their paper “Fast and Vulnerable: A Story of Telematic Failures” at the USENIX security conference in Washington.
“We show that these devices can be discovered, targeted, and compromised by a remote attacker and we demonstrate that such a compromise allows arbitrary remote control of the vehicle,” the report says.
How did they do it?
Unlike the recent Jeep Cherokee hack by Charlie Miller and Chris Valasek, this new method of hacking isn’t manufacturer-specific. Instead, it relies on the presence of a device normally used to increase the safety of cars.
Researchers targeted a third-party data recorder – typically used to store driving inputs for insurance purposes – and used it as a gateway for the car’s more critical systems. Usually plugged into the dashboard, black-box systems or OBD2 dongles are used by truck fleets, Uber and many more companies to monitor the behaviour of drivers.
However, their need to log data such as braking, speed and location means they must be embedded into a vehicle’s CAN – or internal network – and therefore provide a “soft” access point for hackers.
“We acquired some of these things, reverse-engineered them, and along the way found that they had a whole bunch of security deficiencies,” Stefan Savage, computer security professor at the University of California at San Diego, told Wired. According to the professor, the dongles “provide multiple ways to remotely… control just about anything on the vehicle they were connected to”.
Once they had gained access to the car’s main systems, the team were able to wirelessly control the car using specifically designed SMS text messages.
The hack focused on a component made by a French company called Mobile Devices, which is used by companies such as the US-based insurance firm Metromile, Uber and many more.
After the hack, researchers contacted Metromile, who distributed a security update made by Mobile Devices over the air. “We took this very seriously as soon as we found out,” Metromile CEO Dan Preston told Wired. “Patches have been sent to all the devices.”
Uber also updated their software without any issues, but the security researchers say that similar, vulnerable models of the black box are still being used unpatched.
A growing problem
The original hack may have been patched, but it’s a worrying sign of just how large the car hacking problem could become.
OEMs such as Fiat Chrysler have already demonstrated the hacking risk carried by integrated car systems, and the latest hack shows that third-party devices such as data loggers could be an even easier, more widespread target.
As it stands, devices like those used in the hacking aren’t subject to any safety regulations, making them an easy target for any malicious hacker.
More and more insurance companies are encouraging their customers to use data loggers, and that means there are already millions of possibly vulnerable cars on the road.
“Given that we’ve seen a complete remote exploit, and these things aren’t regulated in any way, and their use is growing,” UCSD’s Professor Savage told Wired. “I think it’s a fair assessment that yes, there will be problems elsewhere.”