Former Israel spooks have unearthed a vulnerability in Zubie- a third party car device- allowing hackers to control a car remotely. A successful attack would allow the hacker to remotely commandeer functions such as unlocking doors, tampering with instrument- readings, controlling the vehicle’s engine, brakes and steering components, revealed Argus cyber Security.
In the past, researchers have only managed to hack cars either through physical access to the computer system or from short distances using near field technology. The recent breakthrough by Argus researchers proved that hackers could control a car from “anywhere in the world” causing jitters in an industry which have long downplayed cyberattacks on automotives.
Zubie device, popular with insurance companies is used to track engine performance, driving habits and other safety practices behind the wheel. Plugging a Zubie device into the OBD-II port beneath the steering wheel enables insurance companies to receive data on your driving habits, transmitted through a Cloud-based connection which was apparently not secured.
After learning that Zubie used a non-secured HTTP protocol to communicate with the Cloud- based servers, Argus researchers sent a malicious file in an over-the-air update to the OBD-II port gaining access to the Control Area Network- a network of micro-computer that run the Car. On the Control Area Network the researcher could commandeer almost all functions of the vehicle.
“The case we brought here is just one out of potentially many, and there will always be new vulnerabilities out there,” wrote Yaron Galula, chief technology officer of Argus. “This is especially true today, as car connectivity is on the rise, there is a real need to bridge the gap between its tremendous inherent benefits and its potential hazards.”
Argus also warned that the vulnerability could be exploited by malicious hackers to compromise the privacy of motorists. A hacker could send a malicious code and receive the real time location of the motorist in addition other sensitive information on removable media devices attached to the car system.
Zubie’s CEO Tim Kelly issued a statement, assuring customers the vulnerability discovered last month has been patched up. “Since learning about the reports from Argus, we took swift action and made the appropriate changes to our development process in order to further strengthen our overall security practices,” he said adding that Zubie is yet to witness any attack on its customers.
The company has also embarked on a “system-wide security testing” in conjunction with NCC group to test for more zero day vulnerabilities in its products. “Using our knowledge and experience of working in the automotive sector, we worked closely with Zubie’s engineers to incorporate our findings into Zubie’s development process and further support its ongoing customer security requirements,” said Ollie Whitehouse, Technical Director, NCC Group.
Security experts agree that cars with superiors systems utilizing electronic control units are more likely to fall prey to malicious hackers. A few months ago, students from Zhejiang University in China claimed a $10,000 prize for hacking a Tesla Model S car at a security symposium in Beijing.
The hack by Argus Security firm is expected to cause a paradigm shift in automotive cyber security. Automotive makers are more likely to increase cyber security awareness in the industry and watch out for aftermarket devices which could expose their vehicle to cyber threats.