More bad news on the car security front: Researchers have discovered yet another to remotely disable your vehicle. Yesterday, a team from the University of California at San Diego released a video, timed with their presentation at the Usenix security conference, demonstrating how they were able to hack and take over a 2013 Chevrolet Corvette via its ODB-II port. Worse yet, the researchers say that this hack could be applied to just about any vehicle on the road sold after January 1996.
The proof-of-concept video starts with the research team turning on the sports car’s headlights and wipers using a smartphone. They then showed off some of the hack’s more scary tricks, remotely applying and disabling the Corvette’s brakes. (You can watch the full video embedded below.)
The device used to hack the Corvette was acquired through Metromile, a car insurance company that provides its customers with a special cellular-enabled ODB2 dongle. That dongle is supposed to enable discounts for low-mileage drivers. Researchers instead used it as a remote gateway to the car’s computer systems, proving the existence of a pretty significant security hole.
For their part, Metromile, the insurance company that distributes the dongles, says it took the issue seriously when the UCSD researchers informed them of it in June. “Patches have been sent out to all the devices,” says Metromile CEO Dan Preston. He further confirmed that no hackings have been reported in the wild.
That’s good news for Metromile customers, but the USCD team says that other OBD-II dongles could be still be used to hack and disable a wide range of vehicles. So how do you keep safe? “Think twice about what you’re plugging in to your car,” recommends study researcher Karl Koscher.
“It’s hard for the regular consumer to know that their device is trustworthy or not, but it’s something they should give a moment’s thought to,” Koscher adds. “Is this exposing me to more risk? Am I ok with that?”
Earlier in the week, Techlicious reported that most cars’ remote entry systems can be compromised by a $32 device. And back in July, white-hat researchers Charlie Miller and Chris Valasek proved a vulnerability in Chrysler vehicles by hacking and remotely disabling a Jeep Cherokee.
[Image credit: USCD]
