Real World Attack – General Motors Corvette Brakes
There are not specific models or manufacturers that are immune from vulnerabilities or attack. The
attackers look solely for vulnerabilities regardless of the target. There is not a strata in the automobile industry that is perfectly designed or manufactured. This is the case with General Motors. There consistently have been issues with one piece of equipment when attacked to the vehicle– the dongle. These two factors were applied with an attack from 2015 on the GM Corvette and its brake system.
The GM brake system was attacked via a dongle manufactured by Mobile Devices plugged into the OBD-II port (Young, 2015; Foster, Prudhomme, Koscher, & Savage, 2015; Zorz, 2015; Goodwin, 2015; Amir, 2015). This was the Metromile dongle (Mathews, 2015; Schupak, 2015). The dongle is commonly used by insurance agencies and fleets (Snyder, 2015) for tracking and reporting purposes.
In this attack, the deviant only needed to know or acquire the IP address and phone number attached to the vehicle (Kovacs, 2015). Gathering this information is not difficult or labor intensive. With this in hand, the attackers then sent an SMS message to the dongle. This is connected to the CAN bus, which controls the vehicle’s components used to drive the vehicle and other functions. This attack was directed explicitly to a 2013 Corvette (Young, 2015; O’Keefe, 2015). In exploring this attack vector, the attackers at first targeted the windshield wipers and brakes. Once this vector was known to be a viable avenue, other attempts would be made. The additional targets were the door locks, steering, and transmission.
Once connected to the OBD-II port, the attack was completed without authentication (Kovacs, 2015). This in itself is a significant security issue in the architecture. This was later patched (Young, 2015) and the vulnerability mitigated.
Learn more about social engineering through National Cybersecurity Institute’s webinars.
Amir, W. (2015, August 12). Researchers show how to hack a corvette with a text message. Retrieved from https://www.hackread.com/hack-corvette-with-text-message/
Foster, I., Prudhomme, A., Koscher, K., & Savage, S. (2015, August 10-11). Fast and vulnerable: A story of telematics failures. WOOT, 2015. Retrieved from http://www.autosec.org
Goodwin, A. (2015, August 11). Researchers hack a corvette’s brakes via insurance black box. Retrieved from http://www.cnet.com/roadshow/news/resarchers-hack-a-corvettes-brakes-via-insurance-black-box/#!
Kovacs, E. (2015, August 12). Researchers hack car via insurance dongle. Retrieved from http://www.securityweek.com/researchers-hack-car-insurance-dongle
Mathews, L. (2015, August 11). Corvette hijacked by hacking its insurance dongle. Retrieved from http://www.geek.com/news/researchers-hijack-a-corvette-by-hacking-its-insurance-dongle-1630857/
O’Keefe, S. (2015, August 12). Researchers wirelessly hack a corvette’s brakes using an insurance dongle. Retrieved from http://www.itsecurityguru.org/2015/08/12/researchers-wirelessly-hack-a-corvettes-brakes-using-an-insurance-dongle/
Schupak, A. (2015, August 12). Hackers hijack a corvette via text message. Retrieved from http://www.cbsnews.com/news/hackers-hijack-corvette-via-text-message/
Snyder, B. (2015, August 12). Corvette hack is one more reason to be wary of connected cars. Retrieved from http://www.cio.com/article/2969358/consumer-electronics/corvette-hack-is-one-more-reason-to-be-wary-of-connected-cars.html
Young, A. (2015, July 28). Car hacking: Security experts caution automakers on greater need for cybersecurity and anti-hacking measures. Retrieved from http://www.ibtimes.com/car-hacking-security-experts-caution-autmakers-greater-need-cybersecurity-anti-2026472
Young, R. (2015, August 11). Hackers cut a corvette’s brakes via a common car gadget. Retrieved from http://www.wired.com/2015/08/hackers-cut-corvettes-brakes-via-common-car-gadget/
Zorz, Z. (2015, August 12). Researcher’s hack corvette via SMS to plugged-in tracking dongle. Retrieved from https://www.helpnetsecurity.com/2015/08/12/researchers-hack-corvette-via-SMS-to-plugged-in-tracking-dongle/
Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Mr. Parker has matriculated and attained the MBA, MSA, JD, LLM, and is in the final stage of the PhD in Information Assurance and Security (ABD) from Capella University. Mr. Parker’s areas of interest include cryptography, AV, and SCADA.