How texting a Corvette could stop it in its tracks

Third-party devices with cellular connectivity -- and security problems -- can tap into the heart of a vehicle's brain

Academics showed how a Corvette could be stopped in its tracks by remotely accessing a small device often used by insurance companies to track drivers.

Academics showed how a Corvette could be stopped in its tracks by remotely accessing a small device often used by insurance companies to track drivers.

As if recent research on car hacking wasn't frightening enough, a new study shows yet another danger to increasingly networked vehicles.

This time around, academics with the University of California analyzed small, third-party devices that are sometimes plugged into a car's dashboard, known as telematic control units (TCUs).

Insurance companies issue the devices to monitor driving metrics in order to meter polices. Other uses include fleet management, automatic crash reporting and tracking stolen vehicles.

In order to collect vehicle data, TCUs have access to the electronic brain of an automobile, the CAN (Controller Area Network) bus, which transmits and receives messages from many vehicle systems. The TCUs also have SIM cards, which give them cellular network connectivity in order to send information.

The researchers found a variety of security vulnerabilities which allowed them in a real-world demonstration to cause a Corvette to suddenly brake by sending a text message to the TCU, which then accessed the CAN bus, according to a study made public Tuesday.

"We show that these devices can be discovered, targeted and compromised by a remote attack, and we demonstrate that such a compromise allows arbitrary remote control of a vehicle," according to their research paper.

It's yet another example of the challenges facing the automotive industry, which security experts have contended lags far behind other industries in writing secure code.

Last month, Chrysler recalled 1.4 million recent model cars after researchers Charlie Miller and Chris Valasek showed they could remotely access a Jeep while it was being driven.

In this study, researchers looked at a variety of third-party TCUs, but focused on one in particular, the C4E family made by Mobile Devices Ingenierie. It's used by the pay-per-mile insurance company Metromile, which also sells policies for some Uber drivers, according to the paper.

They developed a two-stage attack which updated the device's software and then allowed them access to funnel commands to the CAN bus. In their demonstration video using a cherry-red Corvette, the vehicle's windshield wipers were started remotely. In another demo, the car's brakes were applied while it was moving at a low speed.

The TCU's problems were many: its internal Web server can be found over the Internet if the cellular provider is not using network address translation (NAT). A search using the Shodan search engine turned up 3,000 devices, mostly in Spain, that are likely the same type of TCU, the result of a wireless provider in the country that doesn't use NAT, they wrote.

Like the researchers showed with the Corvette, the TCU is also reachable over mobile networks if an attacker knows its phone number. Figuring out a phone number wasn't as hard as it seems: many times, the phone numbers were simply sequentially assigned ones started with the 566 area code, according to the paper.

Software updates sent to the TCU are not cryptographically signed, meaning the TCU has no idea if the update it's getting isn't malicious. It also does not verify the legitimacy of the server that's sending an update.

When the researchers reverse engineered the TCU's NAND flash unit, they found the same SSH (secure shell) key was shared by several models from the same manufacturer. That means if the IP address of the TCU is known, an attacker could simply login using that same SSH key.

The findings were shared with Mobile Devices Ingenierie and its customer Metromile and even Uber. They wrote that Mobile Devices said many of the issues have since been fixed in subsequent versions of its software. Metromile said it was disabling the SMS access on its branded vehicles.

Still, many vulnerable devices appear to be actively used, and questions remain over how in the future security updates will be distributed.

"Even if we take these statements at face value, they suggest a disconnect in the interface with customers since we identified these problems in a number of production devices directly (to say nothing of the several thousand we identified online)," they wrote.

The research was presented at the 24th USENIX Security Symposium in Washington, D.C. It was written by Ian Foster, Andrew Prudhomme, Karl Koscher and Stefan Savage of the university's Department of Computer Science and Engineering in San Diego.

Send news tips and comments to Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags securityMetroMileExploits / vulnerabilities

More about SSHTwitterUber

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts