Security researchers hack a Corvette using text message

The hacked and the furious

University of California researches have demonstrated a way that hackers could access an insurance black box fitted in a car and use it to control the brakes and windscreen wipers.

The team hacked the box fitted to a 2013 Chevrolet Corvette using a simple text message. The researchers said the method could also be used to access the transmission, steering and locks.

The security boffins will talk about their findings in a research paper titled, "Fast and Vulnerable: A Story of Telematic Failures" at the USENIX security conference, which is taking place this week in Washington.

The problem is not specific to the Corvette or Chevrolet cars - the researchers said that the insurance box fitted into any vehicle can be remotely hacked via text message. The insurance device, called OBD2, is manufactured by a French company called Mobile Devices. This is then sold onto insurance companies to help track vehicle movements for insurance purposes.

In a video, the researchers showed how the brakes could be applied or deactivated on a Corvette at low speed (the car's automatic braking system only functions in slow driving situations, such as travelling through a city). However, in other vehicles with autonomous driving features, such as transmission and steering, could be controlled remotely via the hack. This is because the box itself can act as a gateway to other systems in the car, thus allowing the hack to happen.

"We acquired some of these things, reverse-engineered them, and along the way found that they had a whole bunch of security deficiencies," Stefan Savage, computer security professor at the University of California at San Diego, told Wired.

The researchers have made Mobile Devices and Metromile, the insurance firm that distributes the dongle to car manufacturers, aware of the hack, allowing the firm to update the boxes with a software patch.

"We took this very seriously as soon as we found out," Metromile CEO Dan Preston told Wired. "Patches have been sent to all the devices."

Ken Westin, senior security analyst at Tripwire said that one of the trends he was seeing in automotive system vulnerabilities was that many of these systems are using networks and protocols designed for cellular and IP networks.

"These tools were designed to facilitate human to human interaction. When these networks and protocols are repurposed for machine to machine communication, they become vulnerable to a variety of different threat models," he said.

"When a cell phone is compromised there is a potential for data to be compromised, which is an inconvenience. However, when machine to machine communications over cellular or IP networks are compromised it leads to a kinetic attack that could result in serious injury or even loss of life."

Featured Resources

How to choose an AI vendor

Five key things to look for in an AI vendor

Download now

The UK 2020 Databerg report

Cloud adoption trends in the UK and recommendations for cloud migration

Download now

2021 state of email security report: Ransomware on the rise

Securing the enterprise in the COVID world

Download now

The impact of AWS in the UK

How AWS is powering Britain's fastest-growing companies

Download now

Recommended

Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
Putin open to handing cyber criminals over to US
hacking

Putin open to handing cyber criminals over to US

14 Jun 2021
Futurex‌ ‌and Google enable‌ ‌client-side‌ ‌Google‌ ‌Workspace encryption‌
Google Docs

Futurex‌ ‌and Google enable‌ ‌client-side‌ ‌Google‌ ‌Workspace encryption‌

14 Jun 2021

Most Popular

Ten-year-old iOS 4 recreated as an iPhone app
iOS

Ten-year-old iOS 4 recreated as an iPhone app

10 Jun 2021
Fastly blames software bug for major outage
public cloud

Fastly blames software bug for major outage

9 Jun 2021
GitHub to prohibit code that’s used in active attacks
cyber security

GitHub to prohibit code that’s used in active attacks

7 Jun 2021