A group of UCSD security researchers recently demonstrated a method of remotely triggering and disabling the brakes on a 2013 Chevrolet Corvette via text message, Wired reports.
The vulnerability lies in an OBD2 dongle from Mobile Devices. It’s used by companies including the insurance provider Metromile, which provides customers with the dongle, branded as the Metromile Pulse, to track their mileage.
“We acquired some of these things, reverse engineered them, and along the way found that they had a whole bunch of security deficiencies,” USCD professor Stefan Savage told Wired.
The researchers, Savage said, found that the dongles enabled them to remotely “control just about anything on the vehicle they were connected to.”
A YouTube video shows the UCSD researchers turning the Corvette’s wipers on and off, and activating and disabling the brakes while the car is moving.
The researchers told Wired the attack could be adapted for just about any modern vehicle, and could also target other components such as locks, steering or transmission. “It’s not just this car that’s vulnerable,” UCSD researcher Karl Koscher said.
Metromile said the vulnerability was patched soon after the researchers notified the company of the flaw in June 2015. “We took this very seriously as soon as we found out,” Metromile CEO Dan Preston told Wired. “Patches have been sent to all devices.”
Still, the UCSD researchers say thousands of Mobile Device dongles remain vulnerable, mostly in Spain, and the larger issue of vulnerable dongles in cars remains. In January 2015, researcher Corey Thuen demonstrated a similar vulnerability in Progressive Insurance’s Snapshot dongle, manufactured by Xirgo Technologies.
The lesson, Koscher told Wired, is simple. “Think twice about what you’re plugging into your car. It’s hard for the regular consumer to know that their device is trustworthy or not, but it’s something they should give a moment’s thought to. Is this exposing me to more risk? Am I okay with that?”
Good Technology CTO Nicko van Someren told eSecurity Planet by email that the UCSD researchers’ work is a great example of what happens when you take a device that was designed for local access and connect it to the Internet. “The ODB-II port on your car was designed in the expectation that only people who could unlock your car and get inside it would have access, so the interface was not built with security in mind,” he said.
“Increasingly, in the rush to connect ‘Things’ for the Internet of Things, we find devices that were designed with the expectation of physical access control being connected to the Internet, the Cloud and beyond,” van Someren added. “If the security of that connection fails, then the knock-on effects can be dire and potentially even fatal.”
In February 2015, U.S. Senator Edward Markey released a report warning of cyber security vulnerabilities in cars and trucks. “Drivers have come to rely on these new technologies, but unfortunately the automakers haven’t done their part to protect us from cyber attacks or privacy invasions,” Markey said at the time.
A recent eSecurity Planet article examined the challenges of ensuring automobile cyber security.