In the latest car-hacking exploit in a summer full of them, researchers from the University of California-San Diego say they've found a way to manipulate braking in a 2013 Chevrolet Corvette. The vulnerabilities may not be limited to that model. Cyber-security researchers breached the car's security systems via a device they had plugged into the Corvette's OBD-II port, and through that connection, they sent messages that could turn windshield wipers on and off and tamper with the brakes as the car drove at low speeds.
It's the latest in a series of car hacks that involve access to critical systems obtained via the OBD-II port, where drivers can plug in devices that provide anything from diagnostic information for mechanics to driving information for insurance companies. Last November, cyber-security engineers from Argus Cyber Security remotely controlled vehicle functions in a car that had a OBD-II dongle called a Zubie installed. In January, researchers from Digital Bond Labs found security holes in an information-tracking dongle popular with more than 2 million Progressive Insurance customers. Those came before prominent hacks unveiled in recent weeks, in which researchers remotely commandeered control of a Jeep Cherokee and, separately, showcased problems with GM's OnStar infotainment system.
Regarding the dongles that plug into the OBD-II ports, Stefan Savage, a Cal-San Diego professor involved in the research, tells WIRED that, "we acquired some of these things, reverse-engineered them, and along the way, found that they had a whole bunch of security deficiencies." Savage and others unveiled the latest study at the Usenix security conference Tuesday.
In a video of their exploit entitled "Fast and Vulnerable," they show how they sent SMS messages from a smartphone to the dongle plugged into the car's OBD-II port. From there, their messages accessed the CAN bus, a network on the car that connects individual electronic control units, which control dozens of vehicle functions. As they send the commands to brake the car, the driver of the Corvette notes "the pedal doesn't react to any pressure."
General Motors issued a written response Wednesday, warning drivers to be careful with third-party devices they plug into their OBD-II ports. "As always, before a customer connects a third-party device to the vehicle diagnostic port, we encourage the customer to understand the postential effects of the device on their vehicle, including any information that the device may access and any impact that the device may have on the vehicle or its operation."
It's not the first time Cal-San Diego researchers have been involved in car-hacking research. Savage and others partnered with the University of Washington in 2010 and 2011 on a pair of landmark studies that outlined the vulnerabilities in modern cars and showed that car hacking is even possible.