IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Security researchers hack a Corvette using text message

The hacked and the furious

University of California researches have demonstrated a way that hackers could access an insurance black box fitted in a car and use it to control the brakes and windscreen wipers.

The team hacked the box fitted to a 2013 Chevrolet Corvette using a simple text message. The researchers said the method could also be used to access the transmission, steering and locks.

The security boffins will talk about their findings in a research paper titled, "Fast and Vulnerable: A Story of Telematic Failures" at the USENIX security conference, which is taking place this week in Washington.

The problem is not specific to the Corvette or Chevrolet cars - the researchers said that the insurance box fitted into any vehicle can be remotely hacked via text message. The insurance device, called OBD2, is manufactured by a French company called Mobile Devices. This is then sold onto insurance companies to help track vehicle movements for insurance purposes.

In a video, the researchers showed how the brakes could be applied or deactivated on a Corvette at low speed (the car's automatic braking system only functions in slow driving situations, such as travelling through a city). However, in other vehicles with autonomous driving features, such as transmission and steering, could be controlled remotely via the hack. This is because the box itself can act as a gateway to other systems in the car, thus allowing the hack to happen.

"We acquired some of these things, reverse-engineered them, and along the way found that they had a whole bunch of security deficiencies," Stefan Savage, computer security professor at the University of California at San Diego, told Wired.

The researchers have made Mobile Devices and Metromile, the insurance firm that distributes the dongle to car manufacturers, aware of the hack, allowing the firm to update the boxes with a software patch.

"We took this very seriously as soon as we found out," Metromile CEO Dan Preston told Wired. "Patches have been sent to all the devices."

Ken Westin, senior security analyst at Tripwire said that one of the trends he was seeing in automotive system vulnerabilities was that many of these systems are using networks and protocols designed for cellular and IP networks.

"These tools were designed to facilitate human to human interaction. When these networks and protocols are repurposed for machine to machine communication, they become vulnerable to a variety of different threat models," he said.

"When a cell phone is compromised there is a potential for data to be compromised, which is an inconvenience. However, when machine to machine communications over cellular or IP networks are compromised it leads to a kinetic attack that could result in serious injury or even loss of life."

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
Hackers use Linux backdoor on compromised e-commerce sites with software skimmer
malware

Hackers use Linux backdoor on compromised e-commerce sites with software skimmer

19 Nov 2021
Iranian hackers ramp up attacks against IT services sector
hacking

Iranian hackers ramp up attacks against IT services sector

19 Nov 2021
TikTok phishing campaign tried to scam over 125 influencer accounts
social media

TikTok phishing campaign tried to scam over 125 influencer accounts

18 Nov 2021

Most Popular

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
Open source giant Red Hat joins HPE GreenLake ecosystem
automation

Open source giant Red Hat joins HPE GreenLake ecosystem

28 Jun 2022
Carnival hit with $5 million fine over cyber security violations
cyber security

Carnival hit with $5 million fine over cyber security violations

27 Jun 2022