Ian Foster and Andrew Prudhomme, from the University of California, San Diego, presented their findings at a security conference in D.C., detailing how they were able to exploit a device used to track driving data to digitally break into a Corvette, turning on its windshield wipers and putting on as well as disabling the breaks.
Their point of entry: An aftermarket telematics control unit, like the ones that major insurers such as Progressive, Allstate and State Farm provide customers to help them save on premiums. The palm-sized dongles plug into a car’s standard onboard diagnostic (OBD-II) port to monitor speed, distance and braking. That data, used to determine how safe a driver you are, is sent wirelessly to the companies’ servers.
The UCSD hack shows how these added third-party devices only increase the already significant security risks of connected cars.
“We show that these devices can be discovered, targeted, and compromised by a remote attacker and we demonstrate that such a compromise allows arbitrary remote control of the vehicle,” the researchers wrote in the abstract to their paper. “This problem is particularly challenging because, since this is aftermarket equipment, it cannot be well addressed by automobile manufacturers themselves.”
Another recent hack, of a Jeep via its in-dash entertainment system, led to Fiat Chrysler recalling 1.4 million vehicles for emergency security software updates. One researcher was able to unlock the doors of a GM car, honk the horn, turn on the engine and find the exact location using the car’s OnStar app. At the DEF CON hacking conference in Las Vegas last week, a Tesla Model S got the royal hacking treatment.
Foster, Prudhomme and their collaborators plugged a dongle they bought on eBay into a Corvette’s OBD-II port. In a YouTube video, they showed how they were able to take advantaged of the connected device to send commands to the car with SMS text messages from a smartphone.
While the car sat in a parking lot, they turned on its windshield wipers. As a colleague drove it at 5 miles per hour, they put on the brakes — and were able to temporarily disable them.
There’s no reason the ability would be limited to this particular device or this particular kind of car.
The dongles are made by a French company called Mobile Devices and are used by Metromile, a San Francisco insurance startup, and by Uber. Both Metromile and Uber told Wired they devices had been updated with security patches.
If you are reading this on a mobile device, click here to watch the clip on YouTube.