As if recent research on car hacking wasn't frightening enough, a new study shows yet another danger to increasingly networked vehicles.
This time around, academics with the University of California analyzed small, third-party devices that are sometimes plugged into a car's dashboard, known as telematic control units (TCUs).
Insurance companies issue the devices to monitor driving metrics in order to meter polices. Other uses include fleet management, automatic crash reporting and tracking stolen vehicles.
In order to collect vehicle data, TCUs have access to the electronic brain of an automobile, the CAN (Controller Area Network) bus, which transmits and receives messages from many vehicle systems. The TCUs also have SIM cards, which give them cellular network connectivity in order to send information.
The researchers found a variety of security vulnerabilities which allowed them in a real-world demonstration to cause a Corvette to suddenly brake by sending a text message to the TCU, which then accessed the CAN bus, according to a study made public Tuesday.
"We show that these devices can be discovered, targeted and compromised by a remote attack, and we demonstrate that such a compromise allows arbitrary remote control of a vehicle," according to their research paper.
It's yet another example of the challenges facing the automotive industry, which security experts have contended lags far behind other industries in writing secure code.
Last month, Chrysler recalled 1.4 million recent model cars after researchers Charlie Miller and Chris Valasek showed they could remotely access a Jeep while it was being driven.
In this study, researchers looked at a variety of third-party TCUs, but focused on one in particular, the C4E family made by Mobile Devices Ingenierie. It's used by the pay-per-mile insurance company Metromile, which also sells policies for some Uber drivers, according to the paper.
They developed a two-stage attack which updated the device's software and then allowed them access to funnel commands to the CAN bus. In their demonstration video using a cherry-red Corvette, the vehicle's windshield wipers were started remotely. In another demo, the car's brakes were applied while it was moving at a low speed.
The TCU's problems were many: its internal Web server can be found over the Internet if the cellular provider is not using network address translation (NAT). A search using the Shodan search engine turned up 3,000 devices, mostly in Spain, that are likely the same type of TCU, the result of a wireless provider in the country that doesn't use NAT, they wrote.
Like the researchers showed with the Corvette, the TCU is also reachable over mobile networks if an attacker knows its phone number. Figuring out a phone number wasn't as hard as it seems: many times, the phone numbers were simply sequentially assigned ones started with the 566 area code, according to the paper.
Sign up for CIO Asia eNewsletters.