Zubie is a small box that plugs into the On-Board Diagnostics (ODBII) port found in most modern cars. It allows users to find out how well they’re driving, and offers tips for extending their mileage with sensible, economical driving. And until recently, Zubie contained a serious lapse in security that could leave users vulnerable to having their car remotely hijacked.
The hole – discovered by alumni of Unit 8200, the Israeli Defense Force’s elite cybersecurity team – could potentially see attackers remotely interfere with braking, steering and the engine.
Zubie connects to a remote server over a GPRS connection, which is used to send gathered data to a central server, as well as in order to receive security updates.
The researchers discovered that the device was committing one of the cardinal sins of network security and not communicating to the home server over an encrypted connection. As a result, they were able to spoof the Zubie central server, and send some specially crafted malware to the device.
Further details of the attack are below, and you’ll be pleased to learn that the issue has since been fixed. It does, however, raise an interesting question. How secure are our cars?
Separating Fact From Fiction
For many, driving is not a luxury. It’s a necessity
And it’s a dangerous necessity at that. Most people are all too familiar of the risks associated with getting behind the wheel. Car accidents are the one of world’s the biggest killers, with 1.24 million lives lost on the road in the year 2010 alone.
But road deaths are declining, and that’s largely due to the increased penetration of sophisticated road safety technologies. There are far too many of these to comprehensively list, but perhaps the most prevalent example is OnStar, available in the US, Canada and China.
The technology – available exclusively in GM cars, as well as other vehicles by companies who have chosen to license the technology – monitors the health of your car. It can provide turn-by-turn directions, and can automatically render assistance should you find yourself in than accident.
Almost six million people subscribe to OnStar. Countless more use a telematics system, which allows insurers to track how well cars are driven and tailor insurance packages to reward sensible drivers. Justin Dennis recently reviewed something similar called Metronome by Metromile, which is freely available for residents of Washington, Oregon, California and Illinois. Meanwhile, many cars post 1998 can be interrogated and monitored via the ODBII diagnostic port thanks to Android and iOS smartphone apps.
As these technologies have reached ubiquity, so has an awareness that these can be hacked. Nowhere else is that more evident than in our cultural psyche.
The 2008 thriller Untraceable prominently featured an OnStar equipped car being ‘bricked’ by the antagonist of the film in order to lure someone into a trap. While in 2009, Dutch IT firm InfoSupport launched a series of commercials showing a fictional hacker called Max Cornellise remotely hack into automobile systems, including a Porsche 911, using only his laptop.
So, with so much uncertainty surrounding the issue, it’s important to know what can be done, and what threats remain in the domain of science fiction.
A Brief History Of Car Hacking?
Outside of Hollywood, security researchers have accomplished some pretty scary things with cars.
In 2013, Charlie Miller and Chris Valasek demonstrated an attack where they compromised a Ford Escape and Toyota Prius and managed to take control of the braking and steering facilities. However, this attack had one major drawback, as it was contingent upon a laptop being plugged into the vehicle. This left security researchers curious, and wondering if it was possible to accomplish the same thing, but without being physically tethered to the car.
That question was conclusively answered one year later, when Miller and Valasek conducted an even more detailed study on the security of 24 different models of cars. This time around, they were focusing on the capacity for an attacker to conduct a remote attack. Their extensive research produced a 93 page report, which was published on Scribd to coincide with their follow-up talk at the Blackhat security conference in Las Vegas.
It suggested that our cars aren’t as secure as once thought, with many lacking the most rudimentary cyber-security protections. The damning report highlighted the Cadillac Escalade, Jeep Cherokee and the Infiniti Q50 as being most vulnerable to a remote attack.
When we look at the Infinity Q10 specifically, we see some major lapses in security.
What makes the Infiniti so compelling as a car is also what makes it so vulnerable. Like many high-end cars produced in recent years, it comes with a swathe of technological features designed to make the driving experience more enjoyable. These range from keyless unlocking, to wireless tire pressure monitoring, to a ‘personal assistant’ smartphone app that interfaces with the car.
According to Miller and Vlasek, some of these technological features aren’t isolated, but rather are directly networked with the systems that are responsible for engine control and braking. This leaves open the possibility of an attacker gaining access to the car’s internal network, and then exploiting a vulnerability located in one of the essential systems in order to crash or interfere with the vehicle.
Things like keyless unlocking and ‘personal assistants’ are rapidly being regarded as essentials for drivers, but as Charlie Miller so saliently pointed out, “it’s a little scary that they can all talk to each other.”
But we’re still very much in the world of the theoretical. Miller and Vlasek have demonstrated a potential avenue for an attack, but not an actual attack. Are there any examples of anyone having actually managed to interfere with a car’s computer systems?
Well, there are no shortage of attacks that target keyless unlocking features. One was even demonstrated earlier this year at the Blackhat Security Conference in Las Vegas by Australian security Researcher Silvio Cesare.
Using just $1000 worth of off-the-shelf tools, he was able to spoof the signal from a key-fob, allowing him to remotely unlock a car. The attack relies on someone being physically present near the car, potentially for a few hours, as a computer and a radio-antenna transmits tries to brute-force the receiver built into a car’s keyless unlocking system.
Once the car has been opened, the attacker could then potentially attempt to steal it, or help themselves to any unattended items left behind by the driver. There’s a lot of potential for damage here.
Are There Any Defenses?
There’s already some form of protection against the remote access vulnerability discovered by Charlie Miller and Chris Valasek. In the months since their Blackhat talk, they’ve been able to construct a device acts as an intrusion detection system (IDS). This doesn’t stop an attack, but rather indicates to the driver when an attack might be in progress. This costs about $150 in parts, and requires a bit of electronics know-how to build.
The Zubie vulnerability is a bit trickier. Although the hole has since been patched, the weakness didn’t lie within the car, but rather within the third-party device that was attached to it. Whilst cars have their own architectural insecurities, it seems that adding additional extras only increases the potential avenues for an attack.
Perhaps the only way to be truly secure is to drive an old car. One that lacks the highly sophisticated bells-and-whistles of modern, high-end cars, and to resist the urge to shove things into your ODBII port. There’s security in simplicity.
Is It Safe To Drive My Car?
Security is an evolutionary process.
As people gain a larger understanding of the threats surrounding a system, the system evolves to protect against them. But the car world hasn’t quite had its ShellShock or HeartBleed. I imagine that when it has experiences its first critical threat – it’s first zero day, if you will – car manufacturers will respond appropriately and take steps to make vehicle security that bit more rigorous.
But what do you think? Is that a bit optimistic? Are you worried about hackers taking over your car? I want to hear about it. Drop me a comment below.
Explore more about: OBD-II.