General Motors gets to join Fiat Chrysler and Tesla in an unenviable lineup this week: Using cheap gadgets and text messages, researchers have proven they can hack that most traditional of cars, the Chevy Corvette. And worse still is that this line of attack will work on basically any car with a computer in it, which is to say… all of them.
As Wired explains, the flaw that would allow anyone to zap your car over a local wifi network first requires a physical component: you, or someone else, has to put a cheap, widely-available gadget in the vehicle first. That’s the good news. Here’s the bad: plenty of drivers are signing up to put those gadgets in their vehicles already. And the worse: the attack could also work on “practically any other modern vehicle.”
The gadget is a 2-inch-square dongle that insurance companies and trucking fleets plug into vehicles to monitor their location, speed, and efficiency.The particular vulnerable device is made by a French company and distributed worldwide. In the U.S., it’s used by corporations like Metromile, an insurance start-up that uses the trackers to charge customers rates on a miles-driven basis. (The company has a partnership with Uber, to offer discount insurance to those drivers.)
The security researchers demonstrated that those dongles can be vulnerable to a “carefully-crafted SMS message.” Those messages can be used to transmit commands to the car’s internal network, the CAN bus that controls major vehicle functions.
In their demonstration, the researchers turned the windshield wipers on and off and also, more worryingly, both activated and cut the brakes. They added that the brake tricks only work at low speeds due to safety features built into the car’s computer, but that they could also hijack critical features like locks, steering, and transmission.
As with other demonstrated security flaws, the problem is far larger than just one device. This particular dongle is already being patched, but there are others out there — and where vulnerabilities exist, someone will find and exploit them.
Insurance company Progressive offers an optional similar tracking to its customers. Commercial fleets regularly use some kind of tracker. And federal fleets of 20 vehicles or more are now also required to use metric and tracking systems to improve efficiencies when possible.
In other words, unsafe, exploitable devices are already out there, and will be everywhere soon. It’s just one more avenue where every consumer needs to be aware of the risk, and where every company needs to do everything it can to make sure its bases are covered.