14 DAY TRIAL // Using mobile TCUs (Telematic Control Units), or better known as tracking/insurance dongles, four security researchers from the University of California in San Diego hacked a Corvette using SMS messages.
Presenting their research paper at the USENIX WOOT 2015 conference in Washington, the four showed how the tracking dongles used by many companies like Metromile (car insurance) and Uber can be easily reverse-engineered and controlled via SMS.
These devices are connected to the car via an ODB-II port, which then grants them access to its CAN bus, from where various car features can be interacted with.
While not all TCUs have Wi-Fi capabilities, a mobile 2G or 3G modem is offered with most of them, a feature included for providing Internet capabilities, relaying GPS location to the tracking servers or for sending and receiving SMS messages when needed.
Metromile and Uber deploy the vulnerable TCUs with their cars
Researchers tested in their paper the same type of TCU used by Uber and Metromile, and found that the device can be used to grant attackers access to Corvette cars in two modes: in a local setup when the attacker has access to the car and its TCU device, and in a remote setup, via its SMS interface or its Internet connection.
While the TCU could be compromised in both setups, all would eventually lead to the scenario where the attacker would distance themselves from the victim using the SMS controlling capabilities that the TCU exposed the car to.
Researchers discovered different ways of getting the TCU's details from online sources, including its IP address and associated phone number.
Having found the car's phone number, using specially crafted SMS messages, the researchers managed to connect to the CAN bus, and using vulnerabilities in the car's firmware, they were be able to control windshield wipers and the car's brakes.
In theory, access can be given to the whole car
Only these two actions were tested, but technically, they could have accessed any other car feature, including the steering's transmission, door locks, speed limits, dashboard data, and so on.
Since the TCU can receive SMS messages while the car is in motion, this poses a real life and death risk for the car's driver and passengers.
To prevent this from happening, the four security researchers recommend SMS authentication, better key and password management, disabling WAN administration, and a few other actions.
The research team disclosed their findings to Metromile and Uber, and "Metromile was concrete in its plans to disable all SMS access on its branded devices, consistent with our recommendation," said the researchers.
According to statements made to WIRED, the security researchers said other modern cars with a TCU plugged into them were vulnerable, and that this technique could easily be modified and used with other car manufacturers as well.
"If you put this into a Prius, there are libraries of attacks ready to use online,” said Karl Koscher, one of the four researchers.
Previously, researchers had also manage to hack a Tesla Model S.
Cases like these prompted the World Wide Web Consortium (W3C) to initiate a working group regarding the security and privacy of Web-related technology used by the automotive industry.
Below is the proof-of-concept video for the Corvette hack via SMS messages.
