Researchers demonstrate car hack via insurer dongle

Researchers have discovered a vulnerability in a small dongle that insurers in the US install in cars. An attacker can use this to give commands to the car via SMS, which, for example, causes the windshield wipers to turn on or the brakes to be activated.

The researchers from the University of San Diego present their findings at the Usenix Security Conference and state that such a hack is quite easy to perform. In this case, attackers do not have to physically break into the car to perform the hack; any car equipped with the dongle can be hacked. The hackers can check the locks, gears and steering wheel, among other things. The dongle is used to monitor driver behavior data and forward it to insurers using the integrated SIM card. The device is used by insurer Metromile, among others, which also insures all Uber drivers in the US.

The researchers from San Diego discovered in the dongles, which are produced by the French company Mobile Devices, that the developer mode is still on by default and that every dongle has been given the same key. So it was not difficult for the researchers to perform the hack.

The vulnerability has now been patched in the US, but research by the hackers shows that the dongle has not yet received an update in other countries of the world, mainly Spain. In a short video, the hackers demonstrate how the attack works with a Corvette equipped with the dongle. However, they state that any car with an unpatched dongle is vulnerable to this hack.

Although the hackers have called their demonstration ‘Fast and Vulnerable’, the brakes can only be activated at low speeds