Researchers have proven that a gadget connected to the internet and then connected to your car is not as safe as you thought it might have been.
Researchers proved last summer when a Corvette’s brakes were hacked via cellular enabled insurance dongle attached to the sports car’s dashboard. However, another hacker has revealed that these digital accessories might have left another bigger class of automobile vulnerable to the same sort of over the internet intrusion for bigger cars like buses trucks and ambulances.
Spanish security researcher Jose Carlos Norte revealed that he had used Shodan, scanning software to find thousands of publicly exposed “telematics gateway units” commonly known as TGUs, which are small radio enabled devices attached to industrial vehicles networks to track their location, gas mileage and other data. One TGU called the C4Max had no password protection and therefore it left user vulnerable and unprotected from hackers who could access the device if they scanned for them.
The chief technology officer for security firm Eye, Mr Norte, whose company is owned by the Spanish telecom company Telefonica, to easily look up the location of any of the available cars for his system at any given moment. He however stopped in his adventures as he feared that what he had been doing might have been against the law. He explained that if he had gone further than where he stopped, any intruder would have been able to send commands that would affect the vehicle affecting its steering, brakes or transmission.
He also mentioned that he didn’t go further than the usual scan, which would have needed more time, skill and flexibility. His findings are in line with those of researchers at the University of California at San Diego last summer who did go the step further and developed a full CAN network attack via a different Mobile Devices vehicle accessory even though the research was done on smaller cars and trucks. The researchers were able to send CAN signals to a Corvette which allowed it to turn on its windshield and disabled the braking system. One of the researchers thinks that their research and that of Norte could be linked.
Mobile Devices the company which distributes the C4Maxdevice for applications responded through their CEO, Aaron Solomon who said that only devices in “development” mode not in “deployment” mode would be accessible to the scans that Mr Norte had done. He was also aware of the UCSD investigation and said his firm had warned consumers against leaving their devices in insecure mode.
Mr Norte’s real concern however is preventing the kind of full vehicle attack that was demonstrated by his peers in the UCSD experiment. In that experiment it had been for smaller cars but he fears they might be used for industrial cars in the future. He says that was one of the reasons he decided to publish, to force an update.