Lieff Cabraser is investigating reports that a device that can be plugged into the dashboard of cars and trucks to facilitate performance monitoring and location monitoring can be used by hackers to take remote control of a vehicle’s critical systems including brakes, and, with reasonably anticipatible further adaptation, steering and transmission.
The vulnerable device is a plug-in or “dongle” connected to a vehicle’s Onboard Diagnostic Port II, hence known as OBD-II dongles. The devices connect to a vehicle’s dashboard, and some of these devices, in addition to transmitting monitoring data, can receive SMS messages that can then communicate with the vehicle’s computer systems.
As noted by PC Magazine, “these devices have been around for several years and let owners of vehicles manufactured after 1996 with an ODB-II port add connectivity. They are offered by companies ranging from large auto insurers to a dozen or so start-ups for everything from monitoring driving styles and fuel economy to tracking teenagers while they’re behind the wheel.” In addition to rental car companies and private drivers, some Uber drivers have installed OBD-II dongles as part of a discount insurance program.
Researchers from the University of California at San Diego recently sent specially-crafted SMS messages to an OBD-II dongle manufactured by French firm Mobile Devices (the company’s devices are distributed in the U.S by Metromile, a San Francisco-based car insurance start-up). Through the Mobile Devices dongle, the researchers were able to transmit commands to the car’s internal network, allowing them to take remote control of the vehicle’s windshield wipers and brakes.
“As more and more technology becomes inter-connected,” Wired magazine observed, “we have to apply pressure on manufacturers to ensure that they get their code right in the first place, rather than rush out patches later after a serious vulnerability has been found.”