A couple of weeks ago, we learned that Chrysler vehicles with Uconnect systems could be hacked remotely. A few days later, we heard that General Motors’ OnStar had some vulnerabilities of its own to shore up. And on Monday, we told you that bad guys (or gals) have been tinkering with our neighborhood gas stations.
Could it get any worse?
Never ask that question, because the answer is always “yes.”
According to Wired, good-guy hackers from the University of California at San Diego have found a way to break into a dongle plugged into a vehicle onboard diagnostics port. You might be using such a device right now if you take part in Progressive’s Snapshot program, use an app like Automatic, or drive for a corporate fleet.
How did the hackers manage to break in? How did they communicate with their target vehicle? By sending a text message.
Yes, a text message.
As you’ll see in the video above, the hackers used a 2013 Chevrolet Corvette as their oversized guinea pig (though they could have used almost any later-model vehicle). Using text messages, they were able to exploit a security hole in a dongle and gain access to the Corvette’s CAN bus — essentially, the means by which the car’s many different electronic components talk to one another. Once they were in, the hackers sent more text messages that turned on and off windshield wipers, hit the brakes, and, more ominously, disabled the brakes entirely.
And this was just a proof-of-concept exercise. With a bit more work, the hackers say that they could take greater control of vehicles, no matter how fast they’re traveling. They say that they can write software to affect car locks, steering systems, and transmissions.
For this test, the hackers focused on dongles made by Mobile Devices, which are deployed by drivers around the world (including some who work for Uber, who earn insurance discounts via the devices). But the shortcomings apply to dongles made by other companies, too.
The security problem here is threefold:
- Many dongles aren’t especially secure, and it appears that’s because manufacturers don’t fully understand how they can be exploited in attacks.
- Many dongles allow hackers to flip them into “developer mode” increasing the amount of havoc they can wreak.
- Many, many dongles are connected to cellular networks, meaning that anyone with a cell phone can reach them, from anywhere around the world.
Sounds frightening, no? But don’t rip up your driver’s license just yet. The good news is, you’re unlikely to suffer from an attack like this — at least for now.
The bad news is, this is another example of how our increasingly connected cars — which make life so much easier for us in so many ways — also make us vulnerable. Stay vigilant.