By sending SMS messages to an OBD2 dongle connected to the dashboard of a Corvette, the researchers were able to pass commands to the car’s CAN bus, which controls a slew of critical functions, including the car’s brakes.
Less than a month after Chrysler-Dodge recalled 1.4 million vehicles over a steering wheel hack, researchers at the University of San Diego are showcasing another hack that can take over a car’s brake system.
Not that the use of such devices is limited to insurance customers looking for discounted rates. But some of these little boxes could also be an Achilles’ heel that leaves their host cars vulnerable to hacking, warns a group of digital security researchers at the University of California at San Diego. In March, the White House issued an executive order mandating the use of similar OBD monitoring systems by federal agencies with fleets of 20 or more vehicles. Researchers have already told the start up about this venerability, and it has since been worked on. However, this convenience can come with a lot of security risks and vulnerabilities.
The device in question is marketed by San Francisco insurance company Metromile, which offers pay-per-mile insurance based on data logged by the dongle. The dongles were distributed to end users in a “developer mode” with the same private keys stored insecurely on every device, leaving every telematics dongle of this type open to intrusion once one had been reverse engineered. The first was in the update protocol in devices and the second was in the configuration options, which includes the use of text messages (SMS).
Metromile brands the device as Metromile Pulse when installed in their cars.
Recently, we’ve seen a wave of devices vying for placement in your car’s onboard diagnostics port (OBD-II).
Of course, Mobile Devices has since patched the hardware that the research team hacked, and it should be noted that the cell numbers associated with these devices aren’t generally available to just anyone. “It’s hard for the regular consumer to know that their device is trustworthy or not, but it’s something they should give a moment’s thought to”.
Meanwhile, autocompanies and tech manufacturers would be wise to take note of these early warnings, rather than waiting for a full-blown disaster to ensure that our Internet-enabled cars are safe.