Car hacking is becoming a reality, and fast, as just last month researchers demonstrated how they could remotely hack into a Jeep Cherokee, disabling the brakes, tampering with the steering and causing the car to loose control of critical functions, which led to the eventual recall of some 1.4 million automobiles. Now, another set of security researchers have discovered a way to remotely cut the brakes on a car through a simply crafted text message.
A team of researchers from the University of California at San Diego (UCSD) gained access to the onboard computer system of a 2013 Corvette by sending a specially crafted text message to a dongle plugged-in the car. The internet connected dongle can track the cars location, speed and efficiency for insurance companies. The team disclosed their findings at the Usenix security conference in Washington DC today.
Through sending a carefully crated SMS message to one of the cheap dongles connected to the dashboard of a Corvette, researchers were able to transmit commands to the car’s CAN bus, or internal network that controls the cars physical components. Through the text message, researchers were able to turn on the Corvette’s windshield wipers and even cut the cars brakes.
“We acquired some of these things, reverse engineered them, and along the way found that they had a whole bunch of security deficiencies,” Stefan Savage told Wired, the University of California at San Diego computer security professor who led the project. The result is that the dongles “provide multiple ways to remotely…control just about anything on the vehicle they were connected to.”
Researchers demonstrated their proof-of-concept attack on a 2013 Corvette, enabling and disabling the cars windsheild wipers and both activating and cutting the brakes. One drawback, researchers said, is that the Corvette brake activation trick only worked at low speeds due to limitations within the automated computers functions of the vehicle. They claim they could have easily adapted their latest attack on practically any modern-day vehicle, with the ability to hijack other critical functions such as locks, steering and transmission.
Savage and his team concluded their research on a dongle called OBD2 dongle which is manufactured by a French firm, Mobile Devices. Mobile Devices ships the vulnerable dongles among other products to a number of auto manufacturers and third-party vendors. In the United States, one insurance company, Metromile promotes the dongle, offering pay-per-mile insurance packages based on data logged with the device.
Researchers notified Metromile of the security vulnerability back in June and Metromile has since pushed out an immediate software patch to all of its customers. “We took this very seriously as soon as we found out,” Metomile CEO Dan Preston told Wired in a phone interview. “Patches have been sent to all the devices.”