Four University of California researchers have popped aftermarket vehicle tracking devices used by insurance companies to hijack the brakes, steering, and locks of a Corvette with little more than a text message.
The hack targets Mobile Device telematic control units (TCUs) used by Uber and US insurer Metromile which, when targeted with a crafted text message, give attackers access to a vehicle's controller area network (CAN) bus and the various systems it commands.
Ian Foster, Andrew Prudhomme, Karl Koscher, and Stefan Savage describe the work in the paper Fast and Vulnerable: A Story of Telematic Failures [PDF].
"We show that these devices can be discovered, targeted, and compromised by a remote attacker and we demonstrate that such a compromise allows arbitrary remote control of the vehicle," the team says.
"This problem is particularly challenging because, since this is aftermarket equipment, it cannot be well addressed by automobile manufacturers themselves.
"We have experimentally validated that these vulnerabilities can be exploited; in particular, demonstrating a complete remote compromise via SMS."
Affected Mobile Device customers Metromile and Uber have pushed fixes. Mobile Device says the impact is limited on some devices, but the researchers found some disconnect with customers who are exposed.
The research presented at the USENIX security conference in Washington this week shows how brakes, steering, and acceleration can be remotely manipulated at low speed by targeting TCUs.
Their hack grants "complete access" at any distance to the Corvette's CAN bus allowing the injection of payloads to the car's electronic control units.
It works in part through an SMS administration interface enabled on all tested devices which can be used to trigger a remote update and obtain a remote shell for arbitrary access.
This process contained "unfortunate design choices" including a lack of cryptographically signed updates, a "somewhat useless" authentication process that checks the clone devices but not the update server, and the ability for those servers to be assigned by an attacker.
The group found some 1500 various TCU devices through the SHODAN search engine, a feat that is dependent on a telco's use of NAT.
Searching by phone number is more challenging but possible because the digits are assigned sequentially under the US 556 area code.
"If the phone number of one of these devices can be determined, the nearby numbers have a high potential to also be TCUs," they say.
"Moreover, simply sending a SMS administration command, such as 'status', would confirm a TCU’s identity, and makes implementing a 'war dialer' for enumerating such devices relatively straightforward."
While the team tested only the Mobile Device unit, it is plausible that others are similarly affected. The researchers note that TCUs are sold by the likes of Delphi to monitor where teenagers drive, Carlock which focuses on theft, and Zubie, Fuse, Caroyant, and Kiwi which provide diagnostics.
Some units also have external network connectivity placing "tremendous weight" on its information security controls.
The team recommended better update and SMS authentication, key and password management, and update server maintenance. ®