How texting a Corvette could stop it in its tracks


As if recent research on car hacking wasn’t frightening enough, a new study shows yet another danger to increasingly networked vehicles.

This time around, academics with the University of California analyzed small, third-party devices that are sometimes plugged into a car’s dashboard, known as telematic control units (TCUs).

Insurance companies issue the devices to monitor driving metrics in order to meter polices. Other uses include fleet management, automatic crash reporting and tracking stolen vehicles.

In order to collect vehicle data, TCUs have access to the electronic brain of an automobile, the CAN (Controller Area Network) bus, which transmits and receives messages from many vehicle systems. The TCUs also have SIM cards, which give them cellular network connectivity in order to send information.

The researchers found a variety of security vulnerabilities which allowed them in a real-world demonstration to cause a Corvette to suddenly brake by sending a text message to the TCU, which then accessed the CAN bus, according to a study made public Tuesday.

“We show that these devices can be discovered, targeted and compromised by a remote attack, and we demonstrate that such a compromise allows arbitrary remote control of a vehicle,” according to their research paper.

It’s yet another example of the challenges facing the automotive industry, which security experts have contended lags far behind other industries in writing secure code.

Last month, Chrysler recalled 1.4 million recent model cars after researchers Charlie Miller and Chris Valasek showed they could remotely access a Jeep while it was being driven.

In this study, researchers looked at a variety of third-party TCUs, but focused on one in particular, the C4E family made by Mobile Devices Ingenierie. It’s used by the pay-per-mile insurance company Metromile, which also sells policies for some Uber drivers, according to the paper.

They developed a two-stage attack which updated the device’s software and then allowed them access to funnel commands to the CAN bus. In their demonstration video using a cherry-red Corvette, the vehicle’s windshield wipers were started remotely. In another demo, the car’s brakes were applied while it was moving at a low speed.

The TCU’s problems were many: its internal Web server can be found over the Internet if the cellular provider is not using network address translation (NAT). A search using the Shodan search engine turned up 3,000 devices, mostly in Spain, that are likely the same type of TCU, the result of a wireless provider in the country that doesn’t use NAT, they wrote.

Like the researchers showed with the Corvette, the TCU is also reachable over mobile networks if an attacker knows its phone number. Figuring out a phone number wasn’t as hard as it seems: many times, the phone numbers were simply sequentially assigned ones started with the 566 area code, according to the paper.

Software updates sent to the TCU are not cryptographically signed, meaning the TCU has no idea if the update it’s getting isn’t malicious. It also does not verify the legitimacy of the server that’s sending an update.

When the researchers reverse engineered the TCU’s NAND flash unit, they found the same SSH (secure shell) key was shared by several models from the same manufacturer. That means if the IP address of the TCU is known, an attacker could simply login using that same SSH key.

The findings were shared with Mobile Devices Ingenierie and its customer Metromile and even Uber. They wrote that Mobile Devices said many of the issues have since been fixed in subsequent versions of its software. Metromile said it was disabling the SMS access on its branded vehicles.

Still, many vulnerable devices appear to be actively used, and questions remain over how in the future security updates will be distributed.

“Even if we take these statements at face value, they suggest a disconnect in the interface with customers since we identified these problems in a number of production devices directly (to say nothing of the several thousand we identified online),” they wrote.

The research was presented at the 24th USENIX Security Symposium in Washington, D.C. It was written by Ian Foster, Andrew Prudhomme, Karl Koscher and Stefan Savage of the university’s Department of Computer Science and Engineering in San Diego.