Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

TXT message leaves Corvette wrecked

Researchers pop telematic controls to drive gas, brakes and locks from afar

Four University of California researchers have popped aftermarket vehicle tracking devices used by insurance companies to hijack the brakes, steering, and locks of a Corvette with little more than a text message.

The hack targets Mobile Device telematic control units (TCUs) used by Uber and US insurer Metromile which, when targeted with a crafted text message, give attackers access to a vehicle's controller area network (CAN) bus and the various systems it commands.

Ian Foster, Andrew Prudhomme, Karl Koscher, and Stefan Savage describe the work in the paper Fast and Vulnerable: A Story of Telematic Failures [PDF].

"We show that these devices can be discovered, targeted, and compromised by a remote attacker and we demonstrate that such a compromise allows arbitrary remote control of the vehicle," the team says.

"This problem is particularly challenging because, since this is aftermarket equipment, it cannot be well addressed by automobile manufacturers themselves.

"We have experimentally validated that these vulnerabilities can be exploited; in particular, demonstrating a complete remote compromise via SMS."

Affected Mobile Device customers Metromile and Uber have pushed fixes. Mobile Device says the impact is limited on some devices, but the researchers found some disconnect with customers who are exposed.

The research presented at the USENIX security conference in Washington this week shows how brakes, steering, and acceleration can be remotely manipulated at low speed by targeting TCUs.

Their hack grants "complete access" at any distance to the Corvette's CAN bus allowing the injection of payloads to the car's electronic control units.

It works in part through an SMS administration interface enabled on all tested devices which can be used to trigger a remote update and obtain a remote shell for arbitrary access.

This process contained "unfortunate design choices" including a lack of cryptographically signed updates, a "somewhat useless" authentication process that checks the clone devices but not the update server, and the ability for those servers to be assigned by an attacker.

The group found some 1500 various TCU devices through the SHODAN search engine, a feat that is dependent on a telco's use of NAT.

Searching by phone number is more challenging but possible because the digits are assigned sequentially under the US 556 area code.

"If the phone number of one of these devices can be determined, the nearby numbers have a high potential to also be TCUs," they say.

"Moreover, simply sending a SMS administration command, such as 'status', would confirm a TCU’s identity, and makes implementing a 'war dialer' for enumerating such devices relatively straightforward."

While the team tested only the Mobile Device unit, it is plausible that others are similarly affected. The researchers note that TCUs are sold by the likes of Delphi to monitor where teenagers drive, Carlock which focuses on theft, and Zubie, Fuse, Caroyant, and Kiwi which provide diagnostics.

Some units also have external network connectivity placing "tremendous weight" on its information security controls.

The team recommended better update and SMS authentication, key and password management, and update server maintenance. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like