A recent alumnus of CSE’s BS/MS program, Ian Foster (MS ’15), gave a high-profile talk this week at the Aug. 10-11 USENIX Workshop on Offensive Technologies (WOOT 2015) in Washington, D.C., on the eve of the much larger USENIX Security conference. Foster (who is now at Salesforce), CSE Prof. Stefan Savage, Qualcomm Institute programmer-analyst Andrew Prudhomme (who worked on the project in Savage’s CSE 227 class), and CSE postdoctoral researcher Karl Koscher made international headlines with their paper, "Fast and Vulnerable: A Story of Telematic Failures." The researchers examined a popular aftermarket telematics control unit (TCU), which connects to a vehicle via the standard On Board Diagnostics (OBD-II) port, usually below the steering wheel. TCUs are often provided free of charge by auto insurance companies such as Progressive (with its Snapshot dongle) in return for the promise of lower rates, because TCUs can keep track of every time the driver pumps the brakes or presses the accelerator, etc. Indeed, virtually all computerized functions of a car, including lighting and HVAC, can be accessed through the OBD-II port, and the danger is enhanced because TCUs have built-in external networking -- which makes it easier for a hacker to get access to the car's computerized controls.
"We show that these devices can be discovered, targeted, and compromised by a remote attacker and we demonstrate that such a compromise allows arbitrary remote control of the vehicle," according to the paper’s authors. "This problem is particularly challenging because, since this is aftermarket equipment, it cannot be well addressed by automobile manufacturers themselves." Indeed, a hack can be as easy as sending a text message to disable the car's brakes (as long as the auto is not going over five miles an hour).
With funding from NSF and UC San Diego's Center for Networked Systems (CNS), the researchers looked specifically at one TCU built by Mobile Devices and distributed by insurance company Metromile, one of many companies that use the device. Metromile provides discounted per-mile insurance to Uber drivers willing to hook the TCU dongle into their car’s dashboard. For the study, a Corvette was used, but any late-model automobile would probably have had similar issues. Pictured in the Corvette: co-authors Karl Koscher (left) and Ian Foster. (Photo courtesy Wired magazine) The researchers were able to demonstrate both local and remote vulnerabilities, resulting from a combination of bad architectural decisions (e.g., the design of the update protocol) and particular configuration options (e.g., the use of text messaging and debugging features in production deployments and the use of identical keys and passwords among such devices). In their experiments with the Mobile Devices TCU, the researchers documented a number of vulnerabilities, including a complete remote compromise via text message. In their paper, the researchers showed how, once compromised, the TCU makes it possible "to remotely control safety-critical automobile features", e.g., the brakes.
Savage told reporters that Mobile Devices subsequently issued a software update to prevent some of security flaws. "We take these devices far too lightly," Savage told CNN. "This is a class of device that should be considered the same way we consider a medical device. It's a dangerous object that needs to be designed with care."
The researchers offered some tips on improving the safety of TCUs, such as firewalls at the controller area network (CAN) bus that allows automotive devices to communicate with each other. However, they warned that in the long run, the auto industry "will require stronger mechanisms for code signing, authentication, and for limiting what kinds of communications a particular device can engage in." CSE’s Savage says that Metromile has been “super responsive” to the researchers’ security findings. Said Savage: “They tell us that they’ve updated all of their units over the air, and that they are no longer vulnerable.” Other companies that make or offer TCUs for fleet management, tracking, insurance and other industries will hopefully follow suit, although there is no proof yet that a completely secure TCU is even possible.
Read the full paper, "Fast and Vulnerable: A Story of Telematic Failures".