At the Usenix security conference yesterday, a group of researchers from the University of California of San Diego demonstrated a technique to wirelessly hack into vehicles equipped with a tiny, internet-connected and commercially-available device called an OBD2 dongle. The researchers demonstrated their hack on a sixth-generation Chevy Corvette and were able to control some of its features.
The hacked device in question is a 2-inch square gadget built by France-based Mobile Devices. It was designed to plug into the a vehicle’s OBD2 port. Today, the OBD dongles are primarily used by insurance companies as well as fleet management firms and software to monitor the location, speed, and efficiency of vehicles as well as other driving habits and characteristics. Usually located somewhere in the driver’s-side footwell, the universal OBD2 port provides access to the vehicle’s CAN bus. A CAN bus is an internal network of a vehicle analogous to its central nervous system, granting access to various vehicle components. To note, vehicles are not equipped with the OBD dongles in question at the factory; instead, the driver must install it manually.
“We acquired some of these things, reverse engineered them, and along the way found that they had a whole bunch of security deficiencies,” says Stefan Savage, the University of California at San Diego computer security professor who led the project. The result, he says, is that the dongles “provide multiple ways to remotely…control just about anything on the vehicle they were connected to.”
Sending specially-formatted SMS messages to one of the cheap OBD2 dongles connected to the 2013 Corvette C6 allowed the researchers to transmit commands to the car’s CAN bus; the researchers were able to turn on the Corvette’s windshield wipers and disable its brakes. Though hackers used an OBD2 dongle from Mobile Devices, they said that they could also have modified their hack to be used across a wide variety of other OBD2 devices.
In the video below, researchers demonstrate their proof-of-concept attacks on the Corvette. We should note, however, that the researchers could only control the Corvette’s brakes at low speeds due to limitations of the car’s automated system functions. However, they did say that the hack could have easily been adapted for practically any modern vehicle and that they could have also controlled other critical vehicle components like locks, steering or transmission.
And therein lies the crux of the matter: hackers didn’t hack a Corvette. Instead, they hacked a third-party, internet-enabled OBD2 dongle that, as we have already mentioned, drivers much plug into the OBD2 port of their vehicle.