Fast and Vulnerable? Hackers Raise The Risk After Cutting Off Brakes To 2013 Corvette

Car hacking demos like last month’s over-the-internet hijacking of a Jeep have shown it’s possible for digital attackers to cross the gap between a car’s cellular-connected infotainment system and its steering and brakes. But a new piece of research suggests there may be an even easier way for hackers to wirelessly access those critical driving functions: Through an entire industry of potentially insecure, internet-enabled gadgets plugged directly into cars’ most sensitive guts.

At the Usenix security conference today, a group of researchers from the University of California at San Diego plan to reveal a technique they could have used to wirelessly hack into any of thousands of vehicles through a tiny commercial device: A 2-inch-square gadget that’s designed to be plugged into cars’ and trucks’ dashboards and used by insurance firms and trucking fleets to monitor vehicles’ location, speed and efficiency. By sending carefully crafted SMS messages to one of those cheap dongles connected to the dashboard of a Corvette, the researchers were able to transmit commands to the car’s CAN bus—the internal network that controls its physical driving components—turning on the Corvette’s windshield wipers and even enabling or disabling its brakes
 

TheSteve - 8/12/2015 5:07:08 PM

+1 Boost

For non-computer-savvy people, the perpetrator must:
(1) Gain access to the vehicle's interior
(2) Plug a device into the vehicle's data bus (similar to plugging a USB stick into a USB port
(3) Leave the device plugged in the car (who knows if it's visible or not while it's plugged in)
Now some of the vehicle's functions can be controlled remotely.

To put this into perspective, it's easier to enter your vehicle and plant a bomb somewhere in side, and easier still NOT to enter your vehicle and plant a bomb somewhere from the outside. With this added perspective, if you're not worried about someone planting a bomb in your car without even needing entry into your vehicle (the cheap and low-tech approach to malice), why are you worried about a more expensive, more complex, lower risk vulnerability? It's like worrying that someone might steal your credit card info by scanning your card with a hidden RFID reader, and using an infrared sensor to detect your PIN, while ignoring the much easier way of stealing your card info, and that's by overhearing you making a phone purchase using your card and simply copying down that info.

Lots of us live in fear because we're voracious media consumers, and fear sells media while boring facts don't.

atc98092 - 8/13/2015 8:10:45 AM

+1 Boost

While I agree with you, it does point out that there are already cars out there with this device already installed, so gaining access to the interior isn't necessary.

A number of people use this "dongle" to connect their smart phone to the car to view things like engine parameters. I didn't realize the device was two-way, as I thought it was a read-only function. Reading the article, there's obviously quite a number of these in use all over the world.

TheSteve - 8/13/2015 1:44:10 PM

+1 Boost

atc98092: Keep in mind that he HAVEN'T proven that *my* remote-control dongle in *my* car is vulnerable to *your* smartphone being able to access it. Personally, if I had such a device, I'd feel like an idiot leaving it connected to the car when I wasn't using it, but that's just me. I'm one of those anal-retentive guy who locks down his home WiFi as tight as possible to keep bad guys out.