Security researchers hack a car and apply the brakes via text

Vulnerability revealed in diagnostic dongles used for vehicle tracking and insurance that lets them take control using just an SMS

Car dongle hack was demonstrated on a Corvette, but any vehicle with the diagnostic dongles attached could be vulnerable. Photograph: Charles Rex Arbogast/AP

Researchers have hacked a car, remotely activated its windscreen wipers, applied its brakes and even disabled them, all via simple text messages.

A group of researchers from University of California, San Diego discovered a serious weak point in vehicle security that allows hackers to take remote control of a car or lorry thanks to small black dongles that are connected to the vehicles’ diagnostic ports.

These dongles are plugged into the onboard diagnostics port (OBD-II) of cars and lorries by insurance companies and fleet operators as a way to track vehicles and collect data such as fuel efficiency and the number of miles driven.

But the researchers found that the dongles could be hacked by sending them SMS text messages, which relayed commands to the car’s internal systems. The hack was demonstrated on a Corvette, where the researchers could turn on the windscreen wipers, apply the brakes or even disable them at low speed.

“We acquired some of these things, reverse-engineered them, and along the way found that they had a whole bunch of security deficiencies,” Stefan Savage, computer security professor and leader of the project, told Wired.

Pay-by-mile insurance 

The dongles tested and found to be vulnerable by the researchers were made by Mobile Devices and given to consumers by US insurance company Metromile as part of its pay-per-mile insurance plan. Metromile also distributes the dongles to Uber drivers for bespoke insurance plans.

The researchers warned that, once compromised, the dongles allow hackers to control almost any aspect of the car, including steering and locks, and that any of the thousands of car with them equipped were potentially vulnerable.

The dongles were distributed to consumers in an insecure “developer mode”, according to the researchers, and configured to take commands via text message with little in security, which allowed the hackers to access a car’s critical systems.

The researchers, who are presenting their work at the Usenix security conference in Washington DC this week, said that many other dongles of this type might have similar weaknesses. A drive for fuel savings and efficiency has led to their increasing use within companies and institutions, including the US government recently mandated that all federal bodies with fleets over 20 vehicles must fit dongles to them to monitor telemetrics.

Mobile Devices and Metromile were notified of the vulnerability in June who issued a patch for the devices to be delivered wirelessly. Mobile Devices also said that its newer dongles were not susceptible to the hack. The researchers, however, could detect thousands of vulnerable Mobile Devices dongles including in Spain, where they are used for tracking vehicle fleets.

The Mobile Devices dongles are not the only OBD-II devices to have been shown to be vulnerable to attack. A similar device offered by insurance company Progressive was found to have serious security flaws, while a personal telemetrics device called Zubie was also found to be vulnerable.