By on August 11, 2015

OBD II

Hackers say they may be able to control any vehicle with a telematics-enabled sensor — including a popular sensor that insurance companies use for consumers — plugged into the car’s diagnostic port, according to Wired report (via The Verge).

In recent weeks, several hacks have surfaced — Chrysler, General Motors and Telsa — related to specific automakers. According to the report, the On-Board Diagnostic system hack could apply to any make or model fitted with an insurance or tracking dongle. The University of California San Diego researchers say they’ll present their findings at the Usenix conference Tuesday.

And, um, there’s no easy way to put this, but … it doesn’t appear that it would be all that hard to find cars with the dongles at the moment.

The story focused on a dongle provided by a Bay Area-insurance provider, MetroMile, who uses the dongle to charge customers by the mile. Hackers remotely shutdown a Corvette using the device by sending the dongle an SMS message that confused the device into controlling the car’s vital functions. The hackers say they could control steering, throttle and brakes using the hacks. Although the target was a Corvette, the researchers said they could apply the hack to many more cars.

From the story:

“It’s not just this car that’s vulnerable,” says UCSD researcher Karl Koscher. He points to the work of researchers Charlie Miller and Chris Valasek, who revealed and published the code for a wide array of attacks on a Toyota Prius and Ford Escape in 2013 that required only access to a vehicle’s OBD2 port. “If you put this into a Prius, there are libraries of attacks ready to use online.”

MetroMile says it wirelessly updated its devices when it became aware of the hack weeks ago.

Hackers say that the hack may apply to Progressive Casualty Insurance Company’s Snapshot device, which also uses telematics to transmit information, however hackers didn’t provide a proof of concept for the device’s vulnerabilities earlier this year.

The Wired story offered a tidbit of terrifying information: UCSD hackers scanned the web using Shodan and found “thousands” of hackable devices — mostly in Spain. It was unclear in earlier hacking reports how vulnerable cars could be targeted without first having direct contact with the car or physical access. Now, apparently, there’s a web search for that.

In addition to insurance dongles, the hackers say similar hacks could be used for dongles placed in fleet vehicles used for tracking.

Get the latest TTAC e-Newsletter!

Recommended

34 Comments on “Apparently All Cars Can Be Hacked Now: Insurance Dongle Edition...”


  • avatar
    sportyaccordy

    *scouring Craigslist for OBD1 cars*
    *reads up on diagnostic Morse code CEL signals*

    • 0 avatar
      Advance_92

      I can’t imagine it’s part of the OBD2 standard and would have to be configured for each model, brand, or component supplier’s computer.

    • 0 avatar
      agent534

      I’m just searching for cars that aren’t drive by wire, steer by wire, throttle by wire (disable the cruise control), manual transmission, abs not connected to the cars lan …does that cut it? Am I safe now?

      • 0 avatar
        Advance_92

        I bet you could still hit the ECU and stop the motor, but that’s about it.
        2005 WRXs were the last cable-throttled Subarus. Not too sure about the ABS but you can always remove the fuse. A car old enough not to have built-in wireless anything should be safe enough unless you’re forced to use a dongle.

    • 0 avatar
      brn

      I’m not planning to let strangers plug devices into my ODB2 port, so I’m not overly concerned.

      • 0 avatar
        Greg Locock

        “I’m not planning to let strangers plug devices into my ODB2 port, so I’m not overly concerned.”

        Spoilsport. Of course the best hack is you’ve got physical access to a car is 1 kg of semtex, but then it isn’t a sexy computer haxor related story.

  • avatar
    Pig_Iron

    I wonder if this was a failure mode in the DFMEA?

    • 0 avatar
      cwallace

      It was a failure mode in the “hey, let’s plug an antenna into the computer” process.

    • 0 avatar
      cdotson

      I can guarantee no automaker turned this up in an OBDII-related DFMEA. The automakers produced a system to an industry-wide standard intended for use by controllable professionals (dealer techs) using a mix of published standard protocols and trade secret protocols. The addition of third-party hardware is decidedly outside of the scope. It is the dongle that was hacked; the ability of the dongle to control any given vehicle is also dependent on knowledge of the trade secret protocols that have also been hacked.

  • avatar
    Hummer

    Title seems a bit much.

    I’d be very impressed if anyone could “hack” any systems on my Scout.

    Edit: Let me also add how terrible of an idea an electric parking brake is.

    • 0 avatar
      CoreyDL

      Truth and accuracy matter not in Aaron Cole titles.

    • 0 avatar
      matador

      Agreed. Looking at my 1986 Dodge for reference, I see many hackable things:

      *Manual Door Locks?
      *Manual Transmission Computer?
      *Steering via a shaft?
      *Carburetor???

      Of course, you and I may be outside of the norm. Now, can you tell me how to hack a sandwich? That could be fun!

  • avatar
    28-Cars-Later

    Everything can be hacked which is why the excessive computerization is dangerous. Duhhhhh.

  • avatar
    schmitt trigger

    George Orwell didn’t see this one coming.

  • avatar
    JMII

    Lets cover the steps necessary for such a “hack” to occur:
    1) Plug some companies dongle into your OBDII port.
    2) Have a vehicle which features computer control systems that share data with the port, aka drive by wire, adaptive cruise control, auto braking, automatic parking, lane keeping, etc.
    3) Some hacker with the correct wireless radio type and frequency must be nearby. Bluetooth has a pretty small range, WiFi a bit more but cellular (OnStar, etc) is obviously huge.
    4) Said hacker has already reverse engineered all the codes/programming necessary for the particular dongle you have as well as a full database for all the commands possible for your vehicle ready to go.

    While such systems are clearly unsecured the idea that your car is going to be “hacked” via this method is a bit over dramatic. Also to what end? Why do this? To force you to crash then steal your wallet or sunglasses? If I’m going to hack something I’d be working on getting into an ATM or bank and leaving cars alone.

    • 0 avatar
      Sky_Render

      Re-read the article. The “hack” utilizes SMS (text messages), because the OBD dongle is a cellular device capable of receiving SMS messages.

      • 0 avatar
        JMII

        But something tells me you don’t text the car “wipers on” to make it do things. They are injecting code via SMS. That code is most likely pretty complex requiring lots of trial and error along with some serious reverse engineering. Trust me your kid isn’t going to be able to pull this off using his Minecraft skills and an iPhone.

        • 0 avatar
          MBella

          Exactly. This kind of stuff gets so overhyped. The amount of things a hacker would have to do to make it work wouldn’t be advantageous of their time. People watch too many movies.

          • 0 avatar

            The problem arises because only one hacker has to have the desire to hack into something and decides to share his work.

          • 0 avatar
            Power6

            The problem here is not overblown. It starts with a proof of concept, but it wont be long if not already possible where someone can smash a window and get the car started and drive away. You think only a “hacker” can do that, but look to computers for this plays out. Where there is economic incentive there is a market. Any novice can buy a PC trojan dev kit and make your own virus, set up a botnet without knowing a thing about programming…

          • 0 avatar
            MBella

            The insurance companies OBD2 dongle uses the generic OBD2 system that is required for emissions compliance. That is a very simple and very limited part of the system. You’re not going to be able to get change much of anything. It’s the pins for the manufacturer specific systems that allow for changes. Also, for a control unit to do something other than what it’s programmed for, requires re-flashing it or tricking it’s inputs. A running car won’t just start allowing it’s engine controller to be updated, and it would take the hacker way to much time. If you’re worried about somebody braking into your car and steeling it that way with the dongle, at that point he can install his own hardware. Something to alter the ignition switch signal is usually the choice of smart car thieves.

        • 0 avatar
          heavy handle

          All the manufacturer-specific OBD2 commands have already been “hacked” (more factually “read”). You can buy a variety of OBD2 readers that offer the same functionality as dealership readers.

          What’s new here is that some cars are continuously connected to the internet or to phone networks.
          OBD2 requests aren’t authenticated, so any device that connects to your car’s OBD2 network can send your car valid OBD2 command, or flood it with invalid commands.

          It’s a typical security failure. Same thing happened to Windows XP 15 years ago: a system that’s too trusting is let-out in the wild where everybody can have a go at it.

          My question is: who’s “at fault” if your car has a big-brother dongle and gets stolen? Can you be sure that the thieves didn’t tell your insurance company’s device to unlock the doors, disable the alarm and start the engine?

          • 0 avatar
            heavy handle

            Just to be clear, the problem isn’t OBD2. The problem is insecure devices that connect to OBD2 and to the outside world. That’s just like leaving your doors unlocked and the key in the ignition and thinking “what are the odds that anybody will figure it out?”

  • avatar
    APaGttH

    I’ve been using the USAA program for close to two years now (I’m sure they enjoyed that “hard acceleration event” followed by a “hard braking event” and the “excessive speed event” between this AM).

    Despite my occasional tendency to get assertive behind the wheel, I’m rated as a very safe driver from the overlord sending back reports.

    Learning this, I’m thinking this is the end of this experiment. I believe I’m getting a 5% just because discount.

    • 0 avatar
      ClutchCarGo

      Prior to the publication of this exploit, I had been expecting insurance companies to gradually force the adoption of these monitors by simultaneously raising rates and the attendant discount for accepting a monitor. While you wouldn’t have to accept a monitor, it would eventually become cost-prohibitive not to have one. Hopefully the likely media hysteria over car-hacking will throw a wrench into those plans.

  • avatar
    OneAlpha

    Dongle. What an awful word.

    Another linguistic indignity inflicted upon us by the Information Technology industry.

  • avatar
    carguy

    I know page views matter but the alarmist tone of this article is a little excessive.

    Breaking into your car and gaining access to your OBD port is not exactly stealth hacking.

    Some of the insurance devices do use clear text authentication and FTP to transfer the data back to HQ but I doubt very much they have the electronics to manipulate your car in any meaningful way.

    • 0 avatar
      brn

      Agree with your first point.

      The issue with your second point is that it’s a two stage hack. Stage 1 is to hack the insurance device and reprogram it to suit your needs. Once that hack is complete, Stage 2 is to hack the vehicle.

  • avatar
    Steve Biro

    I don’t want to be insensitive and say anyone who allows the insurance company to monitor their activity in such a manner deserves what they get… but I think it’s pretty clear: Don’t participate in any such program that requires the aforementioned dongle and you’re pretty much cool.

    I have a brand-new 2016 Subaru Forester. The head unit features all kinds of compatibility with cell phone apps including Subaru’s own StarLink services, Aha, Pandora and iHeart. But you have to download the apps on your cellphone first and then link to the entertainment system via USB port or BlueTooth. Needless to say, I have no plans to do that.

    • 0 avatar
      stuki

      An increasing number of the “less equals”, will be prevented from registering their cars, unless they allow someone with better connections to the “more equals” to monitor what they are doing. Combine that with one of the most successful indoctrination efforts of the drones by the more equals being the “driving is not a right, but a privilege” idiocy, and an increasing number of people will have little say on the matter.

  • avatar
    Signal11

    This is a much more legit hack than the earlier one reported by Aaron.

    This attacks through a device that you, your insurance company or your rental car company installed, not one the attackers had to place themselves. A modem attached to the CAN bus network exposes the entire network, which is what happened here and with the Chrysler hack.

    As for those who are knee-jerk poopooing this story, this is the problem of shoddy journalism. The last article was crying wolf. This attack, OTOH, is legit threat if you’ve got a telemetry reporting device for whatever reason because you are now driving around with a known, exposed attack vector.

    Among the things that are pretty much possible on all post mid 90s cars via CAN bus commands – deploying/deactivating air bags.

  • avatar
    thegamper

    Ill gladly pay extra in insurance costs to avoid the use of a “safe driving” telemetry device. I have a feeling, in my case, the associated cost in declining to have my vehicle fitted with one would be far less than the cost after the insurance company reads the telemetry data and or dropped me from insurance.

Read all comments

Back to TopLeave a Reply

You must be logged in to post a comment.

Recent Comments

  • Schurkey: They did business with Communists, they’re getting what they deserve. With luck, it’ll nearly...
  • Scoutdude: How far and how often will it be towing the boat, that’s a big factor. Just going across town every...
  • Jagboi: Why do you need a truck? A Crown Vic/Grand Marquis with a frame mounted class III hitch can easily tow the...
  • thornmark: I used to see Allantes w/ water in their tail lights all the time was that a Cadillac feature?
  • thornmark: >>3 or 4 years from now you might be able to pick one of these up for stupid cheap.<< I...

New Car Research

Get a Free Dealer Quote

Who We Are

  • Timothy Cain
  • Matthew Guy
  • Ronnie Schreiber
  • Bozi Tatarevic
  • Chris Tonn
  • Corey Lewis
  • Mark Baruth