Industry News

How to disable a car’s brakes just by sending an SMS

Last month, security researchers grabbed the headlines dramatically by demonstrating how they had found a way to remotely hack into a Jeep as it drove down the highway at 70mph, mess with its controls, and cut its engine. Car manufacturer Chrysler was compelled to recall 1.4 million cars for a security update in response.

But now a different team of security researchers have found what appears to be an even simpler method of messing around with some cars, just by sending an SMS message.

As Wired reports, researchers from the University of California at San Diego have demonstrated at the Usenix security conference a way in which they were able to remotely exploit a device plugged into the dashboard of thousands of cars and trucks.

The vulnerable device is the OBD-II (On-Board Diagnostic) dongle manufactured by French firm Mobile Devices, and used by insurance firms to monitor in-vehicle data about how the vehicle is being driven as well as its location. The devices are connected to the vehicle’s dashboard, and can receive SMS messages.

And that is what the researchers exploited, creating specially-crafted messages that could be sent to the dongles, which in turn transmitted commands to the car’s internal network – allowing them to control car’s windscreen wipers or even slam on or disable the brakes.

“We acquired some of these things, reverse engineered them, and along the way found that they had a whole bunch of security deficiencies,” says Stefan Savage, the University of California at San Diego computer security professor who led the project. The result, he says, is that the dongles “provide multiple ways to remotely…control just about anything on the vehicle they were connected to.”

In the following video, the researchers demonstrate the hack against a 2013 Chevrolet Corvette,

The researchers were keen to point out that the vulnerability was not specific to the Chevrolet, but could be exploited on any number of different modern vehicles fitted with the Mobile Devices OBD-II dongle.

All they had to do was SMS messages to the dongle from a certain phone number (which could be faked) in order to start the process of rewriting the firmware or send malicious commands direct to the connected car.

Specifically, the researchers though looked closely at the OBD-II dongle as supplied by insurance company Metromile, and responsibly informed the firm in June about the vulnerability.

In a statement issued yesterday by Metromile, the company said that it had sent patches to all of its devices over-the-air.

metromile-statement

“Recently, it was revealed to us that MDI, who makes our OBD-II dongle, the Metromile Pulse device, has a vulnerability that can remotely takeover these devices. We took immediate action and released updates to all devices in the field to resolve the discovered remote exploits and can confirm that most of the devices have successfully downloaded and applied the patch and we expect the remainder of devices to be patched by mid-August.”

As part of a discount insurance program, some Uber drivers are said to have installed the Metromile version of the OBD-II dongle, and they too are believed to have been updated.

But once again, security researchers have shown how easy it is to hack into the functions of a car and potentially make them unsafe. As more and more technology becomes inter-connected, we have to apply pressure on manufacturers to ensure that they get their code right in the first place, rather than rush out patches later after a serious vulnerability has been found.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

3 Comments

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Aside from the Big Brother implications of having ANY kind of external connection to one’s vehicle, it seems to me that having a connection that has access to vehicle control functions is especially unwise, and this story proves it.

    The passive collection of data is one thing; I can easily understand why insurance providers have a legitimate proprietary interest in collecting data about how the vehicle is operated, and how that is ultimately in the insured driver’s best interests.

    But the ability to access vehicle control functions is an entirely different matter. Quite apart from the demonstrated fact that such systems can be hacked, there is always the potential for system failure.

    All will agree that manufacturers should get their code right in the first place. But does a responsible driver really want the potential for outside interference with control of the vehicle? I don’t.

  • Not simply an infosec story – There should not exist any command to disable the brakes – under any circumstances whatsoever. ABS units are normally designed to be utterly failsafe, so that manual braking persists even in the event of complete ABS system failure. This should have been picked-up by any number of FMEA’s. Is it really true??