Little Red Corvette: You Need Security That's Going to Last

During the 20th Century, the greatest selection pressure on the automotive industry was the imperative to produce safer cars. Mechanical functions became computerized wherever possible, bringing the wonders of interactive dashboards, sensors, mapping technology and cameras - even to new cars in the most affordable price range.  

Now, if you own a car manufactured in the last ten years, chances are it has some type of computer network running the show. The consensus is that all these technical advancements have improved safety - perhaps cutting traffic fatalities by as much as a third in the last three years. 

The fly in the ointment? All this fancy-dan technology has exposed new vulnerabilities, even as they’ve swept away old ones.  

Researchers from the University of California have developed a method of hacking cars using insurance black boxes - and SMS. Testing their methods on a 2013 Chevrolet Corvette (because you may as well do science in style), the team worked out how to control the windscreen wipers and - eek! - the brakes using text messages. They say the method can be adapted to access other control systems like transmission, locks and steering. This shouldn’t be possible right?

The researchers are expected to deliver their findings at the USENIX security conference in Washington this November. The report - “Fast and Vulnerable: A Story of Telematic Failures” - states that on-board network devices can be ‘discovered, targeted and compromised by a remote attacker,’ essentially allowing nefarious hackers to turn your vehicle into a remote controlled car.

The black-box system which acted as the portal for the team to hack into the controls is usually used to store data for insurance purposes. Because it needs to log data on braking, speed and location, it must be embedded into the vehicle’s CAN (or internal network) - making it vulnerable to hackers. Once the researchers had gained access they were able to wireless control the car using SMS messages. 

This particular hack has now been patched by the manufacturers, but it’s indicative of just how easy it is to expose and exploit systems designed to make automotive travel safer. 

Another car hack was recently performed on the Jeep Cherokee. Demonstrations of how easily the vehicle’s uConnect software could be compromised using an IP address caused widespread concern. Other car manufacturers, including General Motors, have also been shown to have vulnerabilities to hackers. 

The irony is that insurance companies are incentivizing the installation of data loggers, and have been for years. And the kinds of technology used in the hacks aren’t regulated because, like SMS messaging, they are so widely available. It’s safe to assume that the hacks performed so far by researchers represent the tip of the iceberg. With millions of cars using data logging technology, we could see more cases of dangerous security breaches emerging in due course.