Metro Weekly

Cars can now be hacked with a text message

Our autos are becoming increasingly exposed to hackers as we demand greater connectivity from vehicles

Jeep Cherokee 2015
2015 Jeep Cherokee

As consumers demand ever more sophisticated infotainment systems in their cars, the likelihood that they — like our computers and smartphones — will be vulnerable to hacking increases. It’s a legitimate fear, as no one wants some aspect of their vehicle controlled by a mysterious force, whether it’s the air conditioning or the braking system.

However, most major hacking scandals that have affected cars in recent years have demanded a pretty specific set of circumstances — such as the hacker to be in said car. Not any more. Take Chrysler’s blunder this summer.

Wired’s Andy Greenberg reported last month on a serious security flaw in Chrysler’s UConnect infotainment system, used in a large number of Jeep, Dodge, Chrysler and Fiat cars. While driving a Jeep Cherokee near St. Louis, Greenberg lost all control of his vehicle. The vents blasted freezing cold air, the ventilated seats activated, the radio played at full volume, the wipers switched on and washer fluid coated the windscreen. Suddenly, an image of two men appeared on the 8.4-inch center display — well-known hackers Charlie Miller and Chris Valasek. Then, they cut the Jeep’s transmission, removing all power control from Greenberg.

Thankfully, this was a controlled experiment, but it highlighted a serious flaw in the Jeep’s systems. All the more troubling was that Miller and Valasek weren’t in the Jeep at the time — they were sitting ten miles away using a laptop. With a specific code the two had developed, they could remotely take control of most of the Jeep’s systems via the internet. That included the brakes, the steering, as well as tracking the Jeep via its GPS system. The reason? The Cherokee utilizes internet connected apps via Sprint’s network. Using a car’s unique IP address, the hackers could locate and take control of the vehicle using their custom-written code. The vulnerability in the UConnect software was so egregious that they could locate any Chrysler vehicle with the right UConnect system across America.

“From an attacker’s perspective, it’s a super nice vulnerability,” Miller told Wired. “[But] this might be the kind of software bug most likely to kill someone.”

“When I saw we could do it anywhere, over the Internet, I freaked out,” Valasek added. “I was frightened. It was like, holy fuck, that’s a vehicle on a highway in the middle of the country. Car hacking got real, right then.”

Chrysler was forced to recall 1.4 million vehicles in total, offering an update to fix the exploit. The National Highway Traffic Safety Administration opened an investigation against Harman Kardon, who manufactured the software for Chrysler. Suddenly everyone was talking about how secure their cars are.

While the Chrysler hack required a certain infotainment system, what if you could hack into a vehicle using something a simpler method? What if you could take control of a car with a text message? That’s exactly what researchers from the University of San Diego accomplished. At the Usenix security conference, they detailed that they had successfully taken control of a Chevrolet Corvette (a 2013 model, not the 2016 pictured below) via a series of texts. Not to any infotainment system — instead, they were sent to something millions of Americans have: a small dongle from your insurance company that tracks driving habits.

2016 Chevrolet Corvette Stingray
2016 Chevrolet Corvette Stingray

The dongles are plugged into the diagnostics ports of vehicles and provide data to insurance companies that allows them to adjust premiums depending on driving style. “We acquired some of these things, reverse-engineered them, and along the way found that they had a whole bunch of security deficiencies,” Stefan Savage, computer security professor and the project’s leader, told Wired. Specifically, they were dongles by Mobile Devices, used by insurance company Metromile — Uber is a customer for its pay-per-mile insurance plans, The Guardian reports.

Mobile Devices shipped the dongles in developer mode, an insecure software version that allows access to a vehicle’s critical systems. A lack of security protocols in the dongle enabled the researchers to control “just about anything on the vehicle they were connected to,” according to Savage. That included wipers, brakes, transmission, steering, and even unlocking the vehicle. A determined hacker could easily hijack a car with the right text message.

Metromile has apparently updated the dongles to fix the flaw, but it’s not a unique problem. Earlier this year, similar dongles by Progressive were also proven hackable — what would Flo say about that? For consumers, it begs the question as to whether companies are testing every aspect of their connected systems to the same extent we expect from PC and smartphone makers (though the recent flaws in iOS and Android would suggest that no company is perfect).

It’s something Tesla is taking seriously. Its Model S electric sedan is essentially a giant, moving computer — it is internet connected, always on and several functions can be controlled by the owner from their smartphone. This June, they launched a “bug bounty” program, offering cash incentives to hackers who could expose flaws in their systems. Initial sums were a reported $25 to $1,000. That has now increased to $10,000 for specific vulnerabilities related to Tesla’s hardware, software and infrastructure — including their website and Powerwall home battery system.

It’s already paying dividends. Mobile security company Lookout identified six vulnerabilities in Tesla’s Model S that allowed them to take control of the infotainment system and utilize commands that can be carried out by the Tesla smartphone app. They could even unlock the doors, open the power trunks (the Model S has two, front and rear) and start the electric motor. Two weeks after Tesla was notified, an update was pushed to every Model S wirelessly to address the fix. Tesla’s ability to remotely update an owner’s car without bringing it to a dealer allows for fast and easy fixes.

Compare that to Chrysler: of the 1.4 million owners who need their cars updated, it’s estimated that only a fraction will actually do so. Last year, the LA Times reported that just 40% of recalled vehicles were fixed. That’s an awful lot of cars on American roads just waiting to be hacked.

Support Metro Weekly’s Journalism

These are challenging times for news organizations. And yet it’s crucial we stay active and provide vital resources and information to both our local readers and the world. So won’t you please take a moment and consider supporting Metro Weekly with a membership? For as little as $5 a month, you can help ensure Metro Weekly magazine and MetroWeekly.com remain free, viable resources as we provide the best, most diverse, culturally-resonant LGBTQ coverage in both the D.C. region and around the world. Memberships come with exclusive perks and discounts, your own personal digital delivery of each week’s magazine (and an archive), access to our Member's Lounge when it launches this fall, and exclusive members-only items like Metro Weekly Membership Mugs and Tote Bags! Check out all our membership levels here and please join us today!