Cyber carjackingResearchers use SMS to take control of a car remotely

Two researchers demonstrate car hacking with a text message // Source: cse.ucsd.edu/

University of California, San Diego researchers have discovered a serious flaw in vehicle security, which allowed them to hack a car, remotely activating its windscreen wipers, applying its brakes, and even disabling them – and do all this by using simple text messages. The vulnerability was found in small black dongles which are connected to the vehicles’ diagnostic ports. Insurance companies and fleet operators typically plug these dongles into the onboard diagnostics port (OBD-II) of cars and trucks in order to collect data such as fuel efficiency and the number of miles driven.

Gizmodo reports that the researchers hacked these dongles by sending SMS text messages, relaying commands to the car’s control systems. The researchers demonstrated the hack on a Corvette.

“We acquired some of these things, reverse-engineered them, and along the way found that they had a whole bunch of security deficiencies,” Stefan Savage, computer security professor and leader of the project, told Wired.

The dongles hacked in the tests were made by Mobile Devices and distributed to consumers by U.S. insurance company Metromile as part of its pay-per-mile insurance plan. Metromile also gives the dongles to Uber drivers for collecting information which may be used in insurance claims.

The researchers stressed that once hackers compromised the dongles, they can control practically any aspect of the car, including steering and locks. The thousands of cars now equipped with the dongles are thus vulnerable.

The researchers, who say that the dongles were distributed to consumers in an insecure “developer mode,” will be presenting their findings at the Usenix security conference which opens today in Washington, D.C. In their presentation, they will warn that many other dongles of this type may be similarly vulnerable.

The U.S. government has recently made it a requirement for all federal agencies with fleets of more than twenty vehicles to equip the vehicles with dongles to monitor telemetrics.

Mobile Devices and Metromile were notified in June about the vulnerability, and Metro Devices has issued a security patch that can upgrade the dongles’ security wirelessly.

A similar dongle offered to customers by insurance company Progressive, and a personal telemetrics device called Zubie, were also found to be vulnerable to hacks.