Once they exploited the vulnerability in the device, called a Zubie, they controlled vehicle functions, like unlocking doors and manipulating instrument-cluster readings. The researchers, now founders of Argus Cyber Security, say they could have also controlled the vehicle's engine, brakes and steering components.
The remote breakthrough is a big one in an auto industry that has only recently started to take the threat of cyber attacks more seriously.
Industry officials have downplayed the possibility of someone with nefarious intent launching a remote attack. Previously, cyber-security researchers have hacked cars and controlled essential functions either via a physical connection to the vehicle or remotely from a short distance. In this case, the Argus team says the security flaw would have allowed them to remotely commandeer the car from "anywhere in the world."
The flaw existed, ironically, in the Zubie, an aftermarket device that intends to make cars safer.
Drivers can plug a Zubie into the OBD-II port beneath their steering wheels on vehicles that date back as far as 1996 and receive data on their driving habits, car performance and trip information. Devices like the Zubie are gaining popularity with drivers and car insurance companies, because they offer information on driving habits and promote good behavior behind the wheel. Some insurers offer motorists discounts for good driving based on this data.
The device transmits the information via a Cloud-based connection that in this case, it turns out, was not secured.
Argus researchers, who previously belonged to Israel's Intelligence Unit 8200, say they accessed the Zubie's code via a laptop and then learned communications between the device and its Cloud-based server took place via a non-secured HTTP protocol. By mimicking the server, they sent a malicious file in an over-the-air update to the OBD-II port, which in turn gave them access to the Controller Area Network, a bus bar that connects the dozens of microcomputers that run vehicle functions.
Once they reached the CAN, they could do anything they wanted.
"The case we brought here is just one out of potentially many, and there will always be new vulnerabilities out there," wrote Yaron Galula, chief technology officer of Argus. "This is especially true today, as car connectivity is on the rise, there is a real need to bridge the gap between its tremendous inherent benefits and its potential hazards."
Beyond the immediate and obvious threat of a hacker remotely commandeering a car, the Argus researchers say they also could breach the privacy of motorists. They were able to track the vehicle's location and driving behaviors. Had they wanted, they could have transmitted that data to a third party.
Argus notified executives at Zubie's Charleston, S.C. headquarters of the holes in their security last month, and the companies collaborated on a fix for the problems before making the announcement Friday. In a written statement, Tim Kelly, Zubie's CEO, says he has no evidence that any current customers' vehicles had been compromised other than the one afflicted by Argus.
"Since learning about the reports from Argus, we took swift action and made the appropriate changes to our development process in order to further strengthen our overall security practices," he said.
As other researchers have agreed, Argus noted that the more advanced a vehicle, the more of its systems are controlled by electronic control units that are, thus, easier to hack. In 2010, researchers from the University of Washington and Cal-San Diego became the first to breach these computers.
They found it was possible to hack a car either via physical or wireless access by targeting certain components that sought external signals. In their experiments, they conducted the remote hacks on roads adjacent to the targeted vehicles.
Limited range meant limited potential for harm. Now that Argus has demonstrated a malicious code can be injected from anywhere, the cyber threat for automobiles may take on added urgency.
The Zubie research also illustrates another complication for automakers. Even as they work to fortify their cars, an aftermarket product over which they have no control ultimately provided the gateway that allowed for the hack of critical components.
"Up till now awareness to cyber security issues in the automotive industry has been limited and definitely did not receive the same attention cyber security has received in other industry sectors," Galula wrote. "... This is why we believe the industry should adopt a proactive approach towards cyber security."