Last month, security researchers showed the world that a car can be hijacked from thousands of miles away using its internet-connected entertainment system. As if that wasn’t disturbing enough, there may be an even simpler way to take remote control of somebody else’s car: By hacking into small, internet-enabled device people plug directly into the dashboard to save money on car insurance.
As a team of researchers from the University California, San Diego will demonstrate at the Usenix security conference today, a 2-inch-square device called an OBD2 dongle — which plugs into a car’s or lorry’s dashboard to monitor its location, speed, and fuel efficiency — can be turned against the driver rather easily. By sending SMS messages to an OBD2 dongle connected to the dashboard of a Corvette, the researchers were able to pass commands to the car’s CAN bus, which controls a slew of critical functions, including the car’s brakes.
“We acquired some of these things, reverse engineered them, and along the way found that they had a whole bunch of security deficiencies,” security researcher Stefan Savage, of University of California at San Diego told Wired. The dongles, he says, “provide multiple ways to remotely…control just about anything on the vehicle they were connected to.”
Here’s a video demonstration the researchers put together:
OBD2 dongles are manufactured by the France-based firm Mobile Devices and distributed worldwide by corporate customers, including the San Francisco-based insurance company Metromile. Metromile offers the dongles to its customers as a means of tracking driver behaviour and adjusting insurance premiums accordingly. The company, Wired reports, has recently partnered with Uber, offering the devices to contract drivers for an insurance discount.
Thankfully, when the UCSD researchers contacted Metromile about the dongle’s vulnerabilities in June, the insurance firm quickly sent out a security patch to all of its devices. Still, a single patch won’t solve what’s becoming an increasingly widespread security vulnerability, as our vehicles assimilate into the Internet of Things that’s quickly permeating every aspect of our lives. Aside from the vulnerability the researchers exploited, a slew of other red flags cropped up during their investigation, as Wired explains:
The gadgets had their “developer” mode enabled, allowing anyone who scanned for the devices to access them via SSH, a common protocol for remotely communicating with a computer. They stored the same private key on every device, which a hacker could immediately extract to gain complete “root” access on any of the dongles. And the Mobile Devices dongles were also configured to accept commands via SMS, a protocol with virtually no authentication. By sending texts to the devices from a certain phone number, anyone could rewrite their firmware or simply begin issuing commands to a connected car.
And other wireless car devices may pose just as much of a risk, the researchers say. Insurance company Progressive also offers telematics-based insurance, using a similar OBD2-style device called the Snapshot. At this point, the best advice the researchers can offer the average consumer is to heed the precautionary principle.
“Think twice about what you’re plugging into your car,” UCSD security researcher Karl Koscher told Wired. “It’s hard for the regular consumer to know that their device is trustworthy or not, but it’s something they should give a moment’s thought to. Is this exposing me to more risk? Am I ok with that?”
Meanwhile, autocompanies and tech manufacturers would be wise to take note of these early warnings, rather than waiting for a full-blown disaster to ensure that our Internet-enabled cars are safe.
Top image via Wikimedia