A couple of weeks back, a couple of hackers took remote control of a Jeep Cherokee during a closed test and were able to control a number of vehicle systems, such as the brakes and transmission. The hackers were able to enter the car’s computers via the infotainment system, wirelessly from just about anywhere in the world. Well, it turns out that this isn’t the only way hackers can get themselves into a car’s brain and control it remotely.
Recently, researchers at the University of California at San Diego (UCSD) discovered that they were able to enter a Corvette’s CAN bus, which is the internal network that controls most functions of the car, wirelessly through an insurance dongle.
These dongles are little gadgets from certain insurance agencies that monitor the car’s speed, braking and pretty much everything else about it. The idea is that if the insurance company can track what you’re doing and where you’re doing it, you can get lower rates if you behave. However, the UCSD researchers have found that they can access these dongles, via SMS, and use it to control certain features of the car, like the brakes, engine and transmission. “We acquired some of these things, reverse engineered them, and along the way found that they had a whole bunch of security deficiencies,” says Stefan Savage, the Computer Security Professor at UCSD.
Many of these devices that USCD were able to control we developed by French based firm, Mobile Devices. Mobile Devices then supplies many insurance groups, like San Francisco-based Metromile with these dongles, which then make their way into many cars. Insurance companies off these dongles to both private drivers and commercial fleets. So it’s quite common for cars to have them. Metromile has since released an over-the-air patch that fixes this issue, however the UCSD researchers claim that thousands of cars on the road still exist with hackable devices.
It also makes no difference which car these devices are hooked up to. The example the researchers used was on a 2013 Corvette, however, any car equipped with one of these exposed insurance dongles can be hacked.
This is a scary idea, that there’s a possibility of a hacker being able to take advantage of a system in a car that so many people have. The Jeep Cherokee hack a little while back required that the car had some hardware installed beforehand to allow the hackers in wirelessly. This new hack required no such additional hardware, as the CAN bus dongle is all that’s needed and would already be equipped to the car. Both car companies and hardware companies need to be aware of these issues and work toward creating a future where this can’t happen.