A team of researchers from the University of California, San Diego, have managed to hack a Corvette via specially crafted SMS messages sent to a tracking dongle (i.e. a telematic control unit) plugged into the car’s On-Board Diagnostics port (OBD-II).
When connected to the car’s dashboard, the dongle can be used to transmit instructions to the car’s CAN bus – a network that allows the electronic control units (ECUs) for the car’s various subsystems to communicate – and this is exactly what the researchers did.
As they demonstrated in this video, they managed switch on and off the Corvette’s windshield wipers and, more crucially, its brakes:
“TCUs can be divided into those sold and integrated by the OEM itself (e.g., such as GM’s On-Star, Ford’s Sync, etc.) and those that serve the aftermarket (e.g., Progressive Snapshot’s, Automatic Lab’s Automatic, Delphi’s Connect, etc.),” the researchers explained in a paper.
Other researchers have already analyzed OEM provided TCUs and found crucial vulnerabilities. This group OEM turned their attention to the problem of aftermarket devices, “which are typically purchased directly by consumers or through a third-party service offering (e.g., insurance or fleet management), are loosely coupled with the vehicle in which they are installed, and are maintained independent of normal automotive service channels.”
They concentrated on one particular device, made by French company Mobile Devices and used in the US by a number of insurance and transportation companies to track and monitor vehicles.
They found that it’s vulnerable via a range of both local (web/telnet console access, NAND dump, SSH keys) and remote (Internet-based, SMS-based) vectors and, once compromised, it’s able to inject arbitrary payloads to automotive ECUs and, thus, effectively allow attackers to interact with them from a distance.
To prevent the exploitation of these vectors, the researchers advise TCU manufacturers to implement update and console authentication, stronger SMS authentication, more thought out key management and improved password management, to disable WAN administration, and to make sure that the update server is maintained.
“We disclosed our understanding of the problems with the C4E class of TCUs to the vendor (Mobile Devices), to Metromile (a customer of theirs using that platform), and to Uber (a customer of Metromile). All were supportive of our work, appreciative that we had informed them in advance, and intimated that the problems would be fixed (indeed, Metromile was concrete in its plans to disable all SMS access on its branded devices, consistent with our recommendation) or had already been fixed,” the researchers noted.
“However, we also experienced some of the challenges with this space arising from complex supply chain in which a device is customized for different markets.”