TXT message leaves Corvette wrecked

Researchers pop telematic controls to drive gas, brakes and locks from afar

Four University of California researchers have popped aftermarket vehicle tracking devices used by insurance companies to hijack the brakes, steering, and locks of a Corvette with little more than a text message.

The hack targets Mobile Device telematic control units (TCUs) used by Uber and US insurer Metromile which, when targeted with a crafted text message, give attackers access to a vehicle's controller area network (CAN) bus and the various systems it commands.

Ian Foster, Andrew Prudhomme, Karl Koscher, and Stefan Savage describe the work in the paper Fast and Vulnerable: A Story of Telematic Failures [PDF].

"We show that these devices can be discovered, targeted, and compromised by a remote attacker and we demonstrate that such a compromise allows arbitrary remote control of the vehicle," the team says.

"This problem is particularly challenging because, since this is aftermarket equipment, it cannot be well addressed by automobile manufacturers themselves.

"We have experimentally validated that these vulnerabilities can be exploited; in particular, demonstrating a complete remote compromise via SMS."

Affected Mobile Device customers Metromile and Uber have pushed fixes. Mobile Device says the impact is limited on some devices, but the researchers found some disconnect with customers who are exposed.

The research presented at the USENIX security conference in Washington this week shows how brakes, steering, and acceleration can be remotely manipulated at low speed by targeting TCUs.

Their hack grants "complete access" at any distance to the Corvette's CAN bus allowing the injection of payloads to the car's electronic control units.

It works in part through an SMS administration interface enabled on all tested devices which can be used to trigger a remote update and obtain a remote shell for arbitrary access.

This process contained "unfortunate design choices" including a lack of cryptographically signed updates, a "somewhat useless" authentication process that checks the clone devices but not the update server, and the ability for those servers to be assigned by an attacker.

The group found some 1500 various TCU devices through the SHODAN search engine, a feat that is dependent on a telco's use of NAT.

Searching by phone number is more challenging but possible because the digits are assigned sequentially under the US 556 area code.

"If the phone number of one of these devices can be determined, the nearby numbers have a high potential to also be TCUs," they say.

"Moreover, simply sending a SMS administration command, such as 'status', would confirm a TCU’s identity, and makes implementing a 'war dialer' for enumerating such devices relatively straightforward."

While the team tested only the Mobile Device unit, it is plausible that others are similarly affected. The researchers note that TCUs are sold by the likes of Delphi to monitor where teenagers drive, Carlock which focuses on theft, and Zubie, Fuse, Caroyant, and Kiwi which provide diagnostics.

Some units also have external network connectivity placing "tremendous weight" on its information security controls.

The team recommended better update and SMS authentication, key and password management, and update server maintenance. ®

Similar topics

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Mega's unbreakable encryption proves to be anything but
    Boffins devise five attacks to expose private files

    Mega, the New Zealand-based file-sharing biz co-founded a decade ago by Kim Dotcom, promotes its "privacy by design" and user-controlled encryption keys to claim that data stored on Mega's servers can only be accessed by customers, even if its main system is taken over by law enforcement or others.

    The design of the service, however, falls short of that promise thanks to poorly implemented encryption. Cryptography experts at ETH Zurich in Switzerland on Tuesday published a paper describing five possible attacks that can compromise the confidentiality of users' files.

    The paper [PDF], titled "Mega: Malleable Encryption Goes Awry," by ETH cryptography researchers Matilda Backendal and Miro Haller, and computer science professor Kenneth Paterson, identifies "significant shortcomings in Mega’s cryptographic architecture" that allow Mega, or those able to mount a TLS MITM attack on Mega's client software, to access user files.

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading

Biting the hand that feeds IT © 1998–2022