A researcher discovered last week that he could exploit Progressive’s Snapshot driver tracking tool in order to hack into the onboard networks of certain automobiles. Snapshot is a tool manufactured by Progressive auto insurance that plugs into the OBD-II port. Its purpose is to monitor driving behavior in order to offer cheaper insurance rates to safer drivers.
For the uninitiated, the OBD-II is the input port beneath and, in general, slightly to the left of your steering wheel. It’s the port into which your mechanic plugs his emissions inspection machine to check all the codes in your car’s computer systems to make sure the vehicle isn’t releasing harmful pollutants. It’s also the port into which you can plug a diagnostic scanner to check why your check engine light has turned on.
Simply put: Your car’s computer network consists of sensors, electrical control units, and the controller area network (CAN) bus. The ECUs, of which there can be very many, serve a variety of purposes, but mainly they process signals from sensors monitoring everything from engine control to airbags, to any number of other components most have never heard of. ECUs are connected and communicate via the CAN bus. For example: If you crash your car, a sensor tells its ECU that it thinks you crashed, and the ECU then passes that message along the CAN bus to another ECU that tells your airbag to deploy.
@Progressive #Snapshot driver monitoring tool is insecure and exposes drivers to car hacking:Tweet
The OBD-II port used to be the only way to plug into and communicate with the CAN bus and its ECUs. New research shows that this can be done wirelessly as well.
Digital Bond Labs security researcher Cory Thuen got a Snapshot device, which is used in nearly two million cars. He reverse engineered it, figured out how it worked, and plugged it into his Toyota Tundra. Then determined that Snapshot does not authenticate itself nor does it encrypt its traffic data, contain digital validation signatures, or offer a secure boot function.
To be clear, Snapshot devices communicate with Progressive over the cellular network in plain text. This means that an attacker could pretty easily set up a fake cell tower and perform a man-in-the-middle attack.
Despite these serious security lapses, the device has the capacity to communicate with the CAN bus. Therefore, it’s entirely possible that a remote hacker could inject code through a Snapshot dongle and onto the very network that controls your car’s airbags and emergency brakes. Thuen’s work stopped short of injecting code into the car’s network. He claims he was merely interested in figuring out if there was any security in place to stop him from doing it.
Before you panic, I spoke with IOActive’s director of vehicle security research and famed car hacker, Chris Valasek, about pumping malicious code into the CAN bus last year, and he assured me that it’s easier said than done.
— Threatpost (@threatpost) January 19, 2015
Sure, it’s possible to inject code telling your car to initiate automatic parallel park assist while you are speeding down the highway. However, your car’s ECUs are processing thousands of other signals at any given point while your car is in motion. So, in order to initiate automatic parallel park assist (or any other feature), the attacker would have to flood the CAN bus with enough signals to override all of the legitimate information that the car’s sensors are outputting.
Valasek and fellow researcher Charlie Miller managed to manipulate seat-belt locks, brakes and steering by flooding onboard networks with spoofed sensor signals a couple years ago. However, this process was labor intensive and Miller and Valasek, two of the brighter minds in the security industry, had a DARPA grant to work on their research.
The good news is that not many people are doing CAN bus research. A lot of people, on the other hand, are working on browser security research. Car hacking is likely to take off as manufacturers begin integrating browsers and other Internet connected features into the cars they build and sell.