By: Soren Sarstrup
Posted: November 11, 2014
Vulnerabilities in an electronic add-on have given hackers the ability to remotely manipulate a car’s physical operation and expose driver data. The vulnerability was uncovered by Argus Cyber Security, an Israeli IT firm, during its analysis of data security in vehicle telematic solutions.
Argus uncovered the vulnerability in Zubie, a combined hardware and software solution which tracks car location and movement and tells drivers how to drive more effectively. Zubie includes a device that plugs into a car’s OBD2 (on-board diagnostic) port and relays this data on car performance to a private cloud through a GPRS modem and then back to the driver’s smartphone.
The use of Zubie-type after-market hardware and the rapid growth in the number of cars connecting to the Internet are positioned to attract hackers. “There are about 20 million connected cars now and in 15 years there could be 1.4 billion cars,” stated Argus CEO Ofer Ben-Noon to Autelligence at the Telematics Update conference in Munich. “As the numbers increase, more hackers will look into it.”
During Argus Cyber Security’s analysis of the Zubie solution, researchers realized that the device relayed messages to the Zubie server via unsigned and unencrypted HTTP communications. This opened the door to a potential “man-in-the-middle” attack where the hacker could pose as the legitimate server to snoop on messages and manipulate with the car’s physical operation.
Argus researchers were able to use this technique to place remotely malware on the Zubie device and access the vehicle through the CAN (controller area network) bus, opening locked doors, altering dials on the dashboard, and also downloading information to selected servers on the car’s activity and tracking its location. Ben-Noon said his researchers could have done more to manipulate the vehicle but did not. He declined to give specifics on the hacked vehicle or the specific vulnerabilities.
OBD2 ports are a standard feature in almost all cars made after 1996. Usually located under the steering wheel, they are the connection point for computer analysis of a car’s performance. Dongles such as the Zubie hardware are increasingly plugged into the OBD2 for “Pay-as-you-drive” insurance policies where the driver’s actual car use influences the monthly payments.
Argus followed standard IT protocol for this vulnerability, informing Zubie privately and working with the company to close the vulnerability two months before announcing it. The Zubie website stated that there is no evidence that malicious hackers had actually used the vulnerability.
Want to read more like this?
Stay informed with our weekly and periodical email newsletters. Strategic developments, conference reviews, surveys, feature articles, and our latest report releases, sent straight to your inbox – all free of course. Sign up here.