There have been several car hacking demonstrations recently, with one of the more high-profile ones being the attack that was staged on a Jeep Cherokee wherein hackers took control of the vehicle from miles away.
The hacking demonstration, which infiltrated the Jeep Cherokee's on-board infotainment system to access the vehicle's brakes and steering, has led to a recall order involving 1.4 million vehicles and a possible class action lawsuit.
However, new research reveals that it could even be easier for hackers to take control of vehicles through Internet-connected, potentially unsecure insurance black boxes.
University of California, San Diego researchers revealed at the USENIX security conference that they were able to hack into thousands of cars wirelessly through small devices that are plugged into the dashboards of cars and trucks for insurance companies and trucking companies to be able to track the location and speed of the vehicles.
By sending SMS messages to one of the devices that was connected to a Corvette, the researchers were able to send commands to the vehicle's CAN bus, which is the internal system that controls all the physical driving components of the car. The researchers were able to turn on the vehicle's windshield wipers and enable or disable its braking system.
According to Stefan Savage, UCSD professor of computer security that led the study, the team acquired several units of the devices. Upon reverse engineering them, the team saw several security issues that could provide hackers with several ways to be able to remotely take control of the cars that the devices are connected to.
The researchers released a video that demonstrated a series of attacks utilizing the methods on a Corvette. While the team said that enabling and disabling the vehicle's brakes would only work when the car was moving at low speeds, the researchers said that it would be easy to adapt the methods to target different kinds of modern vehicles and take over other critical systems such as steering, locks and transmission.
The exploited device was the OBD2 dongle manufactured by France-based Mobile Devices and distributed by companies such as insurance startup Metromile. Metromile branded the device as the Metromile Pulse and installed it on the dashboards of vehicles to charge car owners on a per-mile basis for insurance coverage.
While Metromile has released a security patch to fix the device's vulnerabilities upon being told of the issue by the UCSD researchers, the researchers claim that if the problem persists, present in the unsecure hardware of Mobile Devices in various locations.
In addition, the problem is not only limited to Mobile Devices or Metromile, or on just the Corvette, as many companies utilize similar unsecure and hackable gadgets installed on vehicles of various manufacturers.
Photo: Michael Gil | Flickr