For car thieves, the tools of the trade have long been slim jims, tire irons, and maybe a screwdriver or wire cutter. In 2015, we can add smartphones and diagnostic tools to the list, as yet another instance of automotive hacking has risen to the surface.
Wired reports that researchers at the University of California San Diego (UCSD) were recently able to access vital systems on a 2013 Chevrolet Corvette wirelessly, and they did so via a diagnostic port that’s in every new car on the road. Once they gained access, they were able to activate and cut the brakes via text message at low speeds.
Just how was this feat accomplished? Every car sold in the U.S. after 1996 (and in Europe after 2001) employs something called an On Board Diagnostics Generation II (OBDII) port, which is generally located under the dashboard near the driver’s side door. That port is a gateway to the vehicle’s array of sensors, whether they’re assigned to the engine, transmission, brakes, or suspension. If you’ve ever had a check engine light come on and brought your car to a shop, the first thing a technician usually does is plug a scanning device into the OBDII port to diagnose the problem.
Wireless versions of those scanning tools — called OBDII dongles— are widely available, and they often use Bluetooth connections to transmit vehicle data to smartphones. This doorway to the vehicle’s nervous system was the exact weakness the UCSD researchers needed to hack the ‘Vette’s computer, because after they tinkered with a dongle manufactured by French firm Mobile Devices, they discovered several security weaknesses.
“We acquired some of these things, reverse-engineered them, and along the way found that they had a whole bunch of security deficiencies,” said Stefan Savage, UCSD professor and leader of the Corvette experiment. He explained that these products “provide multiple ways to remotely control just about anything on the vehicle they were connected to.” Worse yet, the researchers said they could have commandeered the systems of nearly any OBDII car with the Mobile Devices dongle plugged in, and the apparent vulnerabilities are likely found in products all over the globe.
There is good news though. The Mobile Devices product has been reportedly updated with a wireless security patch, and thankfully this incident was yet again a part of a controlled experiment by security researchers. But as has happened before, another major security flaw has been exposed in the modern car world, and it likely won’t be the last.