Common insurance dongle allows hackers to wirelessly take control of a vehicle's brakes

[midian182]

A team of researchers from the University of California at San Diego have found a way to wirelessly hack and take control of thousands of vehicles via an insurance dongle plugged into a car’s On Board Diagnostic Generation 2 port.

The researchers revealed the vulnerability at the 24th USENIX Security Symposium yesterday. The team were able to transmit commands to a 2013 model Corvette’s CAN BUS– the internal network that controls some of the vehicle’s critical functions – by sending SMS messages to an OBD2 dongle connected to the car’s dashboard. This allowed them to activate the windshield washers and, more worryingly, engage and disengage the brakes at low speeds.

The problem isn’t limited to Corvettes; the researchers warned that they could have commandeered the systems of nearly any CAN BUS-equipped cars with the dongle plugged in, and that the hack could be modified to affect other vehicle systems such as the steering, lock, and transmission.

“We acquired some of these things, reverse engineered them, and along the way found that they had a whole bunch of security deficiencies,” says Stefan Savage, the security professor who led the project. He explained that the devices “provide multiple ways to remotely…control just about anything on the vehicle they were connected to.”

The dongle used in the demonstration was built by the French firm Mobile Devices and distributed by a San Francisco insurance startup called Metromile. Researchers have informed the startup of the vulnerability in its devices and they have since been patched. Metromile partnered with Uber to offer the dongles to its contract drivers as part of a discount insurance program. A Spokesperson for the ride-hailing company said in an email: “No drivers reported any problems related to this issue prior to the fix, and we are not aware of any remaining exposure.”

There have been a spate of security vulnerabilities in cars exposed recently; last month, a pair of hackers demonstrated a zero-day exploit involving the infotainment system of a Jeep Cherokee, and an Australian researcher showed how to remotely unlock a car in minutes at the recent Black Hat conference. The same Las Vegas event also saw cybersecurity researchers show how a design flaw could enable them to take control of a self-aiming sniper rifle.

To see the OBD2 hack in action, check out the video below.

Permalink to story.

https://www.techspot.com/news/61731-common-insurance-dongle-allows-hackers-wirelessly-take-control.html

 

[lipe123]

Thats what the damn odb2 port is for!!!!!

It's not a vunerability its a feature for diagnostics etc. And they had to physcially access the interior of the vehicle and plug the damn thing in. Why not just slice the brake hoses if you already are tampering with the vehicle, thats way more effective.

This is plain stupid.

 

[stewi0001]

Thats what the damn odb2 port is for!!!!!

It's not a vunerability its a feature for diagnostics etc. And they had to physcially access the interior of the vehicle and plug the damn thing in. Why not just slice the brake hoses if you already are tampering with the vehicle, thats way more effective.

This is plain stupid.

I think you miss read this. People are already putting the devices in their car. For example, Progressive Snapshot https://www.progressive.com/auto/snapshot/

There are others but that is the first one that comes to mind.

I also saw at a Verizon Wireless store a device that plugs into the odb2 and makes your care a hotspot or something. As cool as it would be to see my car's status and stuff, I did not like the idea of making it wirelessly accessible.

 

[p51d007]

I carry an OB2 dongle in my glove box for my Mustang. I don't run it all the time, just when I check it a few times a year to make sure everything is working properly. It would be hard to keep it on anyway, because it sticks out enough that it would get struck by your left leg when you push in the clutch.