Zubie, a program designed to enhance the safety of vehicles by tracking performance and suggesting ways to increase efficiency, might as well be a welcome mat for hackers looking to disable or turn off the brakes, steering column and engine of a connected car.
Several former members of Israel’s cyber intelligence division figured out ways to access and manipulate several of Zubie’s components, according to a new articles in Forbes.
Led by Ofer Ben-Noon, a team from the start-up Argus Cyber Security began chipping away at Zubie’s system, starting with the hardware that plugs into the OnBoard Diagnostic port of a car under the steering wheel. The port communicates with the car’s internal systems and has a mobile GRPS modem that sends the car’s information to Zubie’s cloud and the owner’s smartphone.
The problem is that the communication is not encrypted or sent via a secure network, making it possible for anyone to transmit information without having to provide identification. “A hacker who managed to take over the server or its domain name would be able to send malicious updates to the device,” Forbes writer Thomas Fox-Brewster says. “[A] hacker could set up a fake mobile base station in a car park and then spoof a Zubie server. This is the kind of exploit Argus researchers were able to perform, for real.”
The team was able to unlock the vehicle’s doors, manipulate the dials on the dash and could have spent more time looking for other access points to the brakes or engine, “but felt they had made their point.” The make and model of the car was not released.
Tim Kelly, Zubie’s CEO, says he’s been made aware of the hack and improvements have been made to fix the problems, but Ben-Noon hopes this will serve as a wake-up call to automotive manufacturers to consider the unintended consequences and potential threats of connected cars.
“When will the industry adopt cyber defenses? We believe that we’re starting to see more of these events that will force them to accept what they are not currently willing to accept. Having cyber systems in a vehicle is a money maker – you save money on brand damage that might occur in the future,” he told Forbes. “It will take time for the automotive industry to understand what enterprises already understand.
“Car connectivity is a must moving into the future but has to be done in a secure manner. [Tech manufacturers] have to be responsible for their components.”
For more on the car hack, read here.