Another day, another demonstration of how connected car technology can be hacked and hijacked with terrifying consequences. This time, hackers have applied the brakes of a Chevrolet Corvette by sending a text message.
Rather than this being a problem with the Corvette or Chevrolet cars, the researchers claim a dongle plugged into the dashboard of almost any car or truck and used to track it for insurance reasons, can be remotely hacked, giving attackers access to a vehicle's physical controls.
Sending a specific text message to the dongle, which is used by insurance firms and trucking fleets to monitor vehicle location, speed, and efficiency, is all that is needed for hackers to take control of some parts of the car. The hack was demonstrated at the Usenix security conference in Washington DC.
'A whole bunch of security deficiencies'
Stefan Savage, a computer security professor from the University of California and leader of the project, told Wired: "We acquired some of these things, reverse engineered them, and along the way found that they had a whole bunch of security deficiencies. [The dongles] provide multiple ways to remotely...control just about anything on the vehicle they were connected to."
Called an OBD2 dongle, the device measures just 2in square and is built by the French company Mobile Devices, then distributed to corporate customers like Metromile. A San Francisco-based insurance company, Metromile then hands out the device to customers as a way of tracking vehicles and charging their insurance on a per-mile basis.
The researchers have published a video to show how the hack works. With this particular model of Corvette the brakes could only be applied (or deactivated) at low speeds, due to the car's automatic braking feature only working in slow, city-driving environments. But they said that when applied to other vehicles with more sophisticated autonomous driving features, these could be commandeered too. With these vehicles, the hack could be modified to take control of the door locks, steering, and gearbox.
Devices have been patched
A software update created by Mobile Devices has been sent to all Metromile dongles after the researchers made the company aware of its vulnerabilities. "We took this very seriously as soon as we found out," Metromile CEO Dan Preston said. "Patches have been sent to all the devices." Uber also uses the dongles to monitor its drivers and says it too has received the patch. However, the researchers believe thousands of still-hackable Mobile Devices dongles are being used, particularly in Spain.
The hack comes just days before a number of Tesla Model S cars already on the roads will receive a software update allowing them to become largely autonomous during motorway driving. Tesla's Autopilot system, installed on all Model S P85D cars, is not yet switched on, but when active will allow the cars to brake, steer and maintain a constant speed and gap from surrounding traffic with zero input from the driver. Company CEO Elon Musk says the free over-the-air update will begin rolling out on 15 August.
In recent months there have been numerous high-profile hacks of connected cars. Hackers remotely switched off the engine of a Jeep Cherokee and controlled the car's brakes over the internet in July. Early August saw a Tesla Model S remotely compromised, giving hackers access to the car's entertainment system. In February, over two million BMW, Mini and Rolls-Royce vehicles were revealed to be vulnerable to an attack which could remotely unlock their doors.