Car hacking demos like last month’s over-the-internet hijacking of a Jeep have shown it’s possible for digital attackers to cross the gap between a car’s cellular-connected infotainment system and its steering and brakes.
But a new piece of research suggests there may be an even easier way for hackers to wirelessly access those critical driving functions: Through an entire industry of potentially insecure, internet-enabled gadgets plugged directly into cars’ most sensitive guts.
At the Usenix security conference today, a group of researchers from the University of California at San Diego plan to reveal a technique they could have used to wirelessly hack into any of thousands of vehicles through a tiny commercial device: A 2-inch-square gadget that’s designed to be plugged into cars’ and trucks’ dashboards and used by insurance firms and trucking fleets to monitor vehicles’ location, speed and efficiency.
By sending carefully crafted SMS messages to one of those cheap dongles connected to the dashboard of a Corvette, the researchers were able to transmit commands to the car’s CAN bus — the internal network that controls its physical driving components — turning on the Corvette’s windshield wipers and even enabling or disabling its brakes.
“We acquired some of these things, reverse engineered them, and along the way found that they had a whole bunch of security deficiencies,” says Stefan Savage, the University of California at San Diego computer security professor who led the project. The result, he says, is that the dongles “provide multiple ways to remotely…control just about anything on the vehicle they were connected to.”
In the video below, the researchers demonstrate their proof-of-concept attacks on a 2013 Corvette, messing with its windshield wipers and both activating and cutting its brakes. Though the researchers say their Corvette brake tricks only worked at low speeds due to limitations in the automated computer functions of the vehicle, they say they could have easily adapted their attack for practically any other modern vehicle and hijacked other critical components like locks, steering or transmission, too.
The device that the UCSD researchers exploited for those attacks was a so-called OBD2 dongle built by the France-based firm Mobile Devices, but distributed by corporate customers like the San Francisco-based insurance startup Metromile.
Metromile, the only one of those corporate distributors whose devices the researchers fully analyzed, is an insurance company that gives its customers the cellular-enabled devices, branded as the Metromile Pulse, to plug into a port on their dashboards as a means of tracking cars and charging drivers on a per-mile basis. The company has even partnered with Uber to offer the devices to its contract drivers as part of a discount insurance program.
The UCSD researchers say they first contacted Metromile about the dongle’s vulnerability in June, and the insurance firm tells it responded with a security patch delivered wirelessly to the Internet-connected gadgets. “We took this very seriously as soon as we found out,” Metromile CEO Dan Preston said in a phone interview. “Patches have been sent to all the devices.” Preston says the security update was created by Mobile Devices, and Metromile then transmitted it over the air to customers.
Uber also says its drivers’ Metromile gadgets have been updated and are no longer vulnerable. “No drivers reported any problems related to this issue prior to the fix, and we are not aware of any remaining exposure,” an Uber spokesperson wrote in an email.
But the researchers argue that the larger problem of wirelessly hackable dongles plugged into cars’ networks is far from solved. They say they also notified Mobile Devices of its hardware’s insecurity, and were told that the latest versions of the company’s dongles weren’t vulnerable to their attack.
But the researchers nonetheless found in scans of the Internet using the search tool Shodan that in addition to the Metromile device, thousands of still-hackable Mobile Devices dongles were visible, mostly in Spain—possibly those used by the Spanish fleet management firm and Mobile Devices customer Coordina. Mobile Devices hasn’t responded to request for comment or for a list of its main customers.
Coordina, for its part, responded in a statement from its parent company TomTom Telematics that it’s analyzed the researchers’ attack and believes it only applies to an older version of its dongles, and that it’s working to replace the “limited number” of older devices currently in cars and trucks. The company’s managing director Thomas Schmidt also noted that the phone number of SIM cards in its devices isn’t public and therefore can’t be contacted via SMS.
“Therefore we consider TomTom Telematics as not vulnerable for SMS hack attacks of Mobile Device OBD dongles related to the described method,” he writes in an email . (The UCSD researchers counter that they’ve been able to use brute-force guessing to send SMS messages to dongles without knowing their SIM cards’ phone numbers. But they also admit that they haven’t actually tested their attack on the Coordina devices.)
Regardless, the problem is hardly limited to Metromile, Coordina, or even their device supplier Mobile Devices. The insurance company Progressive also offers so-called “telematics-based insurance” using a similar OBD2 plug-in it calls the Snapshot. Earlier this year security researcher Corey Thuen found that the Progressive Snapshot device had its own serious vulnerabilities, though Thuen didn’t demonstrate a proof-of-concept attack. And researchers at the cybersecurity firm Argus found that the Zubie, an OBD2 device for personal tracking of driving efficiency, had hackable flaws, too.
In the Mobile Devices dongles specifically, the UCSD team found a slew of serious security bugs. The gadgets had their “developer” mode enabled, allowing anyone who scanned for the devices to access them via SSH, a common protocol for remotely communicating with a computer. They stored the same private key on every device, which a hacker could immediately extract to gain complete “root” access on any of the dongles. And the Mobile Devices dongles were also configured to accept commands via SMS, a protocol with virtually no authentication. By sending texts to the devices from a certain phone number, anyone could rewrite their firmware or simply begin issuing commands to a connected car.
To be clear, none of those bugs are unique to the Corvette the researchers used in their tests. Corvette-maker Chevrolet didn’t respond to request for comment, but the UCSD researchers say they could have hijacked the steering or brakes of just about any modern vehicle with the Mobile Devices dongle plugged into its dash. “It’s not just this car that’s vulnerable,” says UCSD researcher Karl Koscher. He points to the work of researchers Charlie Miller and Chris Valasek, who revealed and published the code for a wide array of attacks on a Toyota Prius and Ford Escape in 2013 that required only access to a vehicle’s OBD2 port. “If you put this into a Prius, there are libraries of attacks ready to use online.”
Mobile Devices hasn’t detailed exactly what sort of software fix it’s created in response to the UCSD research, and the UCSD researchers say they also haven’t fully examined Metromile’s patch. But they argue that regardless of the security of the single device they studied, both consumers and third party OBD2 device firms need to consider the security of the devices they connect to their vehicles. “Think twice about what you’re plugging into your car,” says Koscher. “It’s hard for the regular consumer to know that their device is trustworthy or not, but it’s something they should give a moment’s thought to. Is this exposing me to more risk? Am I ok with that?”
The use of those vulnerable dash gadgets could extend beyond consumers, too. An executive order from the White House in March called for federal agencies with fleets of more than 20 vehicles to use telematics systems whenever possible to improve vehicle efficiencies. That could mean many thousands more government-owned cars and trucks using Internet-connected dongles in the near future.
“We have a whole bunch of these that are already out there in the market,” says UCSD’s Savage. “Given that we’ve seen a complete remote exploit and these things aren’t regulated in any way and their use is growing…I think it’s a fair assessment that yes, there will be problems elsewhere.”
110 Reykjavik, Iceland