Monday, September 14, 2015 by Chris Draper
WIRED reporter Andy Greenberg recapitulated in vivid prose last month how hackers were able to hijack a Jeep that he was driving with nothing but a laptop and mobile device. The hackers were able to take control of the vehicle by accessing its dashboard connectivity system. After toying with the windshield wipers and radio, the hackers successfully drove the Jeep into a ditch. The incident sent ripples throughout the internet, causing Chrysler to issue a recall on hundreds of thousands of vehicles. Recently, car hackers made a splash in cyberspace once again, by hijacking a Corvette’s insurance dongle.
A pair of researchers from the University of California at San Diego (UCSD) demonstrated that they could hack a Corvette by sending text messages to a plugged-in gadget known as a dongle that keeps track of the vehicle’s speed and location. The researchers manipulated dongles from Metromile, which the company uses to determine insurance rates.(1)
Hackers take the wheel
The hackers were able to activate the Corvette’s windshield wipers, as well as control the breaks at low speeds with the press of a button. While the researchers only hijacked the Corvette, they claim that they could apply the same hacking methods to thousands of vehicles using the dongles. The group of researchers presented their findings at the Usenix security conference August 11. A video of the hackers taking control of the Corvette has since been posted on YouTube.(1)
Unlike the Jeep Cherokee that was previously hijacked, the hackers did not need a data connection to take control of the Corvette. By sending a text message to the dongle, they were able to take control of the vehicle through the OBD2 port. The researchers claim that they could take control of just about any of the car’s functions, including the transmission, steering and locks. This means that vehicles are even more susceptible to hack attacks than previously believed.(2)
The OBD2 dongle in the experiment was manufactured by the France-based firm Mobile Devices and distributed by the insurance firm Metromile. The company joined forces with Uber to make the devices available to contract drivers as part of the company’s discount insurance program.(3)
Metromile issues security patch
Last June, the researchers contacted Metromile about their findings. The insurance company promptly responded by wirelessly delivering a security patch to the internet-connected gadgets. No Uber drivers reported any hacks prior to the fix. The dongles are used by insurance firms other than Metromile though, and the UCSD researchers claim that thousands of other vehicles are still vulnerable to hacks, particularly in Spain.(3)
Fortunately, a vehicle can only be hacked if someone knows the phone number of the dongle. Most companies do not provide the phone number for security purposes. Regardless, that doesn’t mean that hackers will never be able to obtain the digits. That’s what hackers do — mine hard-to-obtain data.
The vehicle gadgets aren’t bound to consumers, however. The White House ordered last march that federal agencies with more than 20 vehicles use telecommunication devices whenever possible. This would mean that thousands of government-owned vehicles could contain OBD2 dongles in the near future.(3)
The hack is just of one of many that is likely to affect Americans in the near future. All vehicles are vulnerable to hacking to some extent. As hacking vehicles becomes more common, automakers will be held more accountable for the devices they choose to install in their vehicles. In the meantime, it may be best to think twice before plugging the device into your car.