It's common knowledge nowadays that any computer can be hacked, and any wireless connection can be compromised. In other words, any “smart” device is vulnerable, including smartphones, smart TVs, and smart cars (which are basically computers on wheels).
Indeed, in February a Senate committee report determined that almost every new car sold on the American market was vulnerable to hackers in some way or other.
Hackable car exploits
In just the past two weeks, dangerously hackable exploits have been uncovered in cars from three different manufacturers. On July 24, Fiat/Chrysler USA recalled 1.4 million vehicles from model year 2013 and later, to fix a massive software flaw allowing hackers to remotely seize control of a vehicle's major operating systems, including steering, brakes, and transmission.
A week later, another security researcher discovered a way to remotely seize control of the OnStar systems used in various General Motors vehicles.
Five days ago, Tesla Motors issued a software patch to fix a security hole that allowed hackers to take control of a Tesla Model S and abruptly turn it off.
And today, security researchers from the University of California at San Diego found yet another hackable-car threat with the potential to affect almost all makes and models of modern cars – although the specific brand hacked in this security test was a 2013 Corvette.
Wired reports that a team of researchers from UC San Diego discovered that a commonplace gadget which trucking companies and insurance firms use to remotely monitor vehicles' location, speed, and other factors also leaves those vehicles vulnerable to hackers: “By sending carefully crafted SMS messages to one of those cheap dongles connected to the dashboard of a Corvette, the researchers were able to transmit commands to the car’s CAN bus—the internal network that controls its physical driving components—turning on the Corvette’s windshield wipers and even enabling or disabling its brakes.”
A dongle is essentially a small piece of hardware that attaches to a computerized or electronic device in order to allow additional functions – such as remote speed and location monitoring, when a dongle is attached to the computer in a car. The specific device in this instance is an OBD (on-board diagnostics) dongle made by French firm Mobile Devices and distributed by American corporate customers such as Metromile, a San Francisco-based insurer which uses the dongles to charge per-mile rates for insurance.
Not that the use of such devices is limited to insurance customers looking for discounted rates. In March, the White House issued an executive order mandating the use of similar OBD monitoring systems by federal agencies with fleets of 20 or more vehicles.
Moving too fast?
Metromile says it has already issued a wireless patch for that particular security hole. However, as The Verge dryly noted, the Metromile Dongle hack is “the newest in a recent rash of security vulnerabilities in cars that is raising questions about whether automakers and suppliers … should be moving as quickly as they are to connect their products to the Internet.”
One could raise similar questions regarding whether the U.S. government, which over the past year has developed the annoying habit of having its sensitive computer systems and databases breached by Chinese or Russian hackers every few weeks, should be in such a rush to add its automobile fleet to that ever-growing list of hackable things.