Software updates sent to the TCU are not cryptographically signed, meaning the TCU has no idea if the update it's getting isn't malicious. It also does not verify the legitimacy of the server that's sending an update.
When the researchers reverse engineered the TCU's NAND flash unit, they found the same SSH (secure shell) key was shared by several models from the same manufacturer. That means if the IP address of the TCU is known, an attacker could simply login using that same SSH key.
The findings were shared with Mobile Devices Ingenierie and its customer Metromile and even Uber. They wrote that Mobile Devices said many of the issues have since been fixed in subsequent versions of its software. Metromile said it was disabling the SMS access on its branded vehicles.
Still, many vulnerable devices appear to be actively used, and questions remain over how in the future security updates will be distributed.
"Even if we take these statements at face value, they suggest a disconnect in the interface with customers since we identified these problems in a number of production devices directly (to say nothing of the several thousand we identified online)," they wrote.
The research was presented at the 24th USENIX Security Symposium in Washington, D.C. It was written by Ian Foster, Andrew Prudhomme, Karl Koscher and Stefan Savage of the university's Department of Computer Science and Engineering in San Diego.
Sign up for CIO Asia eNewsletters.