University of California researches have demonstrated a way that hackers could access an insurance black box fitted in a car and use it to control the brakes and windscreen wipers.
The team hacked the box fitted to a 2013 Chevrolet Corvette using a simple text message. The researchers said the method could also be used to access the transmission, steering and locks.
The security boffins will talk about their findings in a research paper titled, "Fast and Vulnerable: A Story of Telematic Failures" at the USENIX security conference, which is taking place this week in Washington.
The problem is not specific to the Corvette or Chevrolet cars - the researchers said that the insurance box fitted into any vehicle can be remotely hacked via text message. The insurance device, called OBD2, is manufactured by a French company called Mobile Devices. This is then sold onto insurance companies to help track vehicle movements for insurance purposes.
In a video, the researchers showed how the brakes could be applied or deactivated on a Corvette at low speed (the car's automatic braking system only functions in slow driving situations, such as travelling through a city). However, in other vehicles with autonomous driving features, such as transmission and steering, could be controlled remotely via the hack. This is because the box itself can act as a gateway to other systems in the car, thus allowing the hack to happen.
"We acquired some of these things, reverse-engineered them, and along the way found that they had a whole bunch of security deficiencies," Stefan Savage, computer security professor at the University of California at San Diego, told Wired.
The researchers have made Mobile Devices and Metromile, the insurance firm that distributes the dongle to car manufacturers, aware of the hack, allowing the firm to update the boxes with a software patch.
"We took this very seriously as soon as we found out," Metromile CEO Dan Preston told Wired. "Patches have been sent to all the devices."
Ken Westin, senior security analyst at Tripwire said that one of the trends he was seeing in automotive system vulnerabilities was that many of these systems are using networks and protocols designed for cellular and IP networks.
"These tools were designed to facilitate human to human interaction. When these networks and protocols are repurposed for machine to machine communication, they become vulnerable to a variety of different threat models," he said.
"When a cell phone is compromised there is a potential for data to be compromised, which is an inconvenience. However, when machine to machine communications over cellular or IP networks are compromised it leads to a kinetic attack that could result in serious injury or even loss of life."
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.