Last month, security researchers grabbed the headlines dramatically by demonstrating how they had found a way to remotely hack into a Jeep as it drove down the highway at 70mph, mess with its controls, and cut its engine. Car manufacturer Chrysler was compelled to recall 1.4 million cars for a security update in response.
But now a different team of security researchers have found what appears to be an even simpler method of messing around with some cars, just by sending an SMS message.
As Wired reports, researchers from the University of California at San Diego have demonstrated at the Usenix security conference a way in which they were able to remotely exploit a device plugged into the dashboard of thousands of cars and trucks.
The vulnerable device is the OBD-II (On-Board Diagnostic) dongle manufactured by French firm Mobile Devices, and used by insurance firms to monitor in-vehicle data about how the vehicle is being driven as well as its location. The devices are connected to the vehicle’s dashboard, and can receive SMS messages.
And that is what the researchers exploited, creating specially-crafted messages that could be sent to the dongles, which in turn transmitted commands to the car’s internal network – allowing them to control car’s windscreen wipers or even slam on or disable the brakes.
“We acquired some of these things, reverse engineered them, and along the way found that they had a whole bunch of security deficiencies,” says Stefan Savage, the University of California at San Diego computer security professor who led the project. The result, he says, is that the dongles “provide multiple ways to remotely…control just about anything on the vehicle they were connected to.”
In the following video, the researchers demonstrate the hack against a 2013 Chevrolet Corvette,
The researchers were keen to point out that the vulnerability was not specific to the Chevrolet, but could be exploited on any number of different modern vehicles fitted with the Mobile Devices OBD-II dongle.
All they had to do was SMS messages to the dongle from a certain phone number (which could be faked) in order to start the process of rewriting the firmware or send malicious commands direct to the connected car.
Specifically, the researchers though looked closely at the OBD-II dongle as supplied by insurance company Metromile, and responsibly informed the firm in June about the vulnerability.
In a statement issued yesterday by Metromile, the company said that it had sent patches to all of its devices over-the-air.
“Recently, it was revealed to us that MDI, who makes our OBD-II dongle, the Metromile Pulse device, has a vulnerability that can remotely takeover these devices. We took immediate action and released updates to all devices in the field to resolve the discovered remote exploits and can confirm that most of the devices have successfully downloaded and applied the patch and we expect the remainder of devices to be patched by mid-August.”
As part of a discount insurance program, some Uber drivers are said to have installed the Metromile version of the OBD-II dongle, and they too are believed to have been updated.
But once again, security researchers have shown how easy it is to hack into the functions of a car and potentially make them unsafe. As more and more technology becomes inter-connected, we have to apply pressure on manufacturers to ensure that they get their code right in the first place, rather than rush out patches later after a serious vulnerability has been found.