You’ve likely seen ads for systems like Snapshot in the US that allows you to save on your insurance costs if you plug a device into the OBD II port on your car and allow your insurance company to monitor your driving habits. I’ve always had my issues with systems like these from a privacy perspective, but now I have another reason to have issues with systems like these. Wired Magazine, the same media outlet who brought you the Jeep hack, have a report where researchers have used these sorts of systems to hack into a Chevy Corvette:
At the Usenix security conference today, a group of researchers from the University of California at San Diego plan to reveal a technique they could have used to wirelessly hack into any of thousands of vehicles through a tiny commercial device: A 2-inch-square gadget that’s designed to be plugged into cars’ and trucks’ dashboards and used by insurance firms and trucking fleets to monitor vehicles’ location, speed and efficiency. By sending carefully crafted SMS messages to one of those cheap dongles connected to the dashboard of a Corvette, the researchers were able to transmit commands to the car’s CAN bus—the internal network that controls its physical driving components—turning on the Corvette’s windshield wipers and even enabling or disabling its brakes.
“We acquired some of these things, reverse engineered them, and along the way found that they had a whole bunch of security deficiencies,” says Stefan Savage, the University of California at San Diego computer security professor who led the project. The result, he says, is that the dongles “provide multiple ways to remotely…control just about anything on the vehicle they were connected to.”
Yikes. That’s not trivial. Here’s a video that shows the hack in action:
The device exploited for those attacks were built by the French manufacturer Mobile Devices and distributed by insurance startup Metromile. The vulnerability has already been patched according to the manufacturer. But the UCSD researchers claim that thousands of vehicles connected to other Mobile Devices distributors are still visible to their Internet search tools. Thus you could still get pwned if you have one of these gizmos in your car. My suggestion? Pull this gizmo from your car until your insurance company addresses this issue.
That also begs this question: Lots of companies make devices that plug into the OBD II port of a motor vehicle for a variety of reasons. One wonders if those devices are vulnerable in a similar fashion.
This entry was posted on August 12, 2015 at 10:16 am and is filed under Commentary with tags Cars, Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Corvette Hacked Via Insurance Monitoring System
You’ve likely seen ads for systems like Snapshot in the US that allows you to save on your insurance costs if you plug a device into the OBD II port on your car and allow your insurance company to monitor your driving habits. I’ve always had my issues with systems like these from a privacy perspective, but now I have another reason to have issues with systems like these. Wired Magazine, the same media outlet who brought you the Jeep hack, have a report where researchers have used these sorts of systems to hack into a Chevy Corvette:
At the Usenix security conference today, a group of researchers from the University of California at San Diego plan to reveal a technique they could have used to wirelessly hack into any of thousands of vehicles through a tiny commercial device: A 2-inch-square gadget that’s designed to be plugged into cars’ and trucks’ dashboards and used by insurance firms and trucking fleets to monitor vehicles’ location, speed and efficiency. By sending carefully crafted SMS messages to one of those cheap dongles connected to the dashboard of a Corvette, the researchers were able to transmit commands to the car’s CAN bus—the internal network that controls its physical driving components—turning on the Corvette’s windshield wipers and even enabling or disabling its brakes.
“We acquired some of these things, reverse engineered them, and along the way found that they had a whole bunch of security deficiencies,” says Stefan Savage, the University of California at San Diego computer security professor who led the project. The result, he says, is that the dongles “provide multiple ways to remotely…control just about anything on the vehicle they were connected to.”
Yikes. That’s not trivial. Here’s a video that shows the hack in action:
The device exploited for those attacks were built by the French manufacturer Mobile Devices and distributed by insurance startup Metromile. The vulnerability has already been patched according to the manufacturer. But the UCSD researchers claim that thousands of vehicles connected to other Mobile Devices distributors are still visible to their Internet search tools. Thus you could still get pwned if you have one of these gizmos in your car. My suggestion? Pull this gizmo from your car until your insurance company addresses this issue.
That also begs this question: Lots of companies make devices that plug into the OBD II port of a motor vehicle for a variety of reasons. One wonders if those devices are vulnerable in a similar fashion.
Share this:
Like this:
Related
This entry was posted on August 12, 2015 at 10:16 am and is filed under Commentary with tags Cars, Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.