Hackers have found yet another way to control cars from afar

“We acquired some of these things, reverse engineered them, and along the way found that they had a whole bunch of security deficiencies,” says Stefan Savage, the University of California at San Diego computer security professor who led the project, Wired reports. Metromile has also teamed up with Uber to offer the cellular-enabled devices to its contract drivers as part of a discount insurance program. Mobile Devices sell their OBD2 dongles to lots of other companies, in this case a startup called Metromile, which uses it to monitors one’s driving for pay-per-mile insurance.

More and more insurance companies are encouraging their customers to use data loggers, and that means there are already millions of possibly vulnerable cars on the road.

However, as The Verge dryly noted, the Metromile Dongle hack is “the newest in a recent rash of security vulnerabilities in cars that is raising questions about whether automakers and suppliers … should be moving as quickly as they are to connect their products to the Internet”.

Researchers have found a way to wirelessly hack into a vehicle via the on-board diagnostics (or OBD) devices some insurance companies use to track drivers’ speed and location.

The dongles were distributed to consumers in an insecure “developer mode”, according to the researchers, and configured to take commands via text message with little in security, which allowed the hackers to access a car’s critical systems. In their demonstration video using a cherry-red Corvette, the vehicle’s windshield wipers were started remotely. This is the car’s internal network responsible for several of its functions. While those hacks targeted the dashboard entertainment system to make the jump to remote control of vehicle systems, by attacking the OBD-II dongle, the researchers gained direct access to the vehicle’s electronic brain to commit acts of mischief.

Uber also updated their software without any issues, but the security researchers say that similar, vulnerable models of the black box are still being used unpatched.

The researchers will reveal more details about this hack later today at the Usenix security conference. However, the researchers believe thousands of still-hackable Mobile Devices dongles are being used, particularly in Spain. If you’ve ever had a check engine light come on and brought your vehicle to a shop, the first thing a technician usually does is plug a scanning device into the OBDII port to diagnose the problem.