New research has shown that it’s entirely possible to hack a Corvette...with an SMS message. Four security researchers from the University of California San Diego recently presented a paper at the USENIX WOOT 2015 conference in Washington showing how they hacked a Corvette using mobile Telematic Control Units (TCUs). The units are more frequently referred to as tracking/insurance dongles. Researchers showed how these dongles, which are used by Uber and car insurance companies such as Metromile, are easily reversible and controllable via SMS.
Such devices are connected to vehicles through the ODB-II port. This gives a person access to the vehicle’s CAN bus, which allows interaction with assorted features, such as brakes and windshield wipers.
“We acquired some of these things, reverse engineered them, and along the way found that they had a whole bunch of security deficiencies,” said Stefan Savage, the computer security professor and project leader at University of California at San Diego. He noted that dongles “provide multiple ways to remotely…control just about anything on the vehicle they were connected to.”
What the Research Says
Researchers discovered different methods of obtaining TCU details from online sources, such as the dongle’s correlating phone number and IP address. Once the Corvette’s number was found, researchers used special SMS messages to connect to the CAN bus. They then used the vehicle’s firmware vulnerabilities to control both the brakes and windshield wipers. And while these were the only two features tested, researchers could have easily accessed a slew of others, including door locks, transmission, dashboard data, etc.
Unfortunately, TCUs are capable of receiving SMS messages while vehicles are in operation, resulting in serious risks to both drivers and passengers. The University of California security researchers subsequently recommended a number of actions, including improved key and password management, SMS authentication, and the disabling of WAN administration.
"Metromile was concrete in its plans to disable all SMS access on its branded devices, consistent with our recommendation," said the researchers.
The Corvette isn’t the only vehicle to be hacked successfully. Last month, researchers demonstrated how easily they could hack Jeeps featuring uConnect software. This means a staggering 471,000 US Jeeps are in danger of being controlled through IP addresses. Following the Jeep revelation, security researcher Samy Kamkar announced how a $100 gadget could be manipulated to control GM vehicle functions.
Technological advancements may have helped vehicles and their drivers in regards to safety, however as with any advancement the opportunity to exploit vulnerabilities is present. The World Wide Web Consortium (W3C) has created a group to analyze the “security and privacy of Web-related technology” utilized by the automotive industry.