A small third-party device plugged into a Corvette could lead to an attacker to send a text to suddenly slam on the brakes.
Researchers at the University of California analyzed small, third-party devices that sometimes plug into a car’s dashboard. These devices are telematic control units (TCUs). Insurance companies issue the devices to monitor driving metrics in order to meter polices. Other uses include fleet management, automatic crash reporting and tracking stolen vehicles.
In order to collect vehicle data, TCUs have access to the electronic brain of an automobile, the CAN (Controller Area Network) bus, which transmits and receives messages from many vehicle systems. The TCUs also have SIM cards, which give them cellular network connectivity in order to send information.
The researchers found a variety of security vulnerabilities which allowed them in a real-world demonstration to cause a Corvette to suddenly brake by sending a text message to the TCU, which then accessed the CAN bus, according to a study.
“We show that these devices can be discovered, targeted and compromised by a remote attack, and we demonstrate that such a compromise allows arbitrary remote control of a vehicle,” according to their research paper.
This attack is another example of the challenges facing the automotive industry, which security experts have contended lags far behind other industries in writing secure code.
Last month, Chrysler recalled 1.4 million recent model cars after researchers Charlie Miller and Chris Valasek showed they could remotely access a Jeep while it a driver was driving it.
In this study, researchers looked at a variety of third-party TCUs, but focused on one in particular, the C4E family made by Mobile Devices Ingenierie. The device ends up used by the pay-per-mile insurance company Metromile, which also sells policies for some Uber drivers, the paper said.
They developed a two-stage attack which updated the device’s software and then allowed them access to funnel commands to the CAN bus. In a demonstration they used a cherry-red Corvette, the vehicle’s windshield wipers started remotely. In another demo, they hit the car’s brakes while it was moving at a low speed.
The TCU has multiple problems. Its internal Web server can end up found over the Internet if the cellular provider is not using network address translation (NAT). A search using the Shodan search engine turned up 3,000 devices, mostly in Spain, that are likely the same type of TCU, the result of a wireless provider in the country that doesn’t use NAT, they said.
Like the researchers showed with the Corvette, the TCU is also reachable over mobile networks if an attacker knows its phone number. Figuring out a phone number wasn’t as hard as it seems: Many times, the phone numbers ended up sequentially assigned ones started with the 566 area code, according to the paper.
Software updates sent to the TCU do not have a cryptographic signature, meaning the TCU has no idea if the update it’s getting isn’t malicious. It also does not verify the legitimacy of the server sending an update.
When the researchers reverse-engineered the TCU’s NAND flash unit, they found the same SSH (secure shell) key was shared by several models from the same manufacturer. That means if they know the IP address of the TCU, an attacker could simply login using that same SSH key.
The researchers shared the findings with Mobile Devices Ingenierie and its customer Metromile and even Uber. They wrote Mobile Devices said they fixed issues in subsequent versions of its software. Metromile said it was disabling the SMS access on its branded vehicles.