At the Black Hat conference in Las Vegas on Wednesday, two researchers demonstrated how they were able to send commands via a laptop to unlock the doors of a Subaru Outback – and then, awing the audience, actually start the car.
Don Bailey and Matthew Solnik, security consultants at iSec Partners, used a technique they have dubbed “war texting” to tap into the system used to remotely control the car.
The researchers did not disclose the name of the affected system in order to give its manufacturer time to fix the issue.
In the presentation, titled “War Texting: Identifying and Interacting with Devices on the Telephone Network,” Bailey said that in addition to vehicles, many other GPS-tracking devices, 3G security cameras, urban traffic control systems, SCADA sensors and home controls and systems are also telephony-enabled and, as a result, susceptible to attack.
Such systems often receive firmware updates and other messages over the Global System for Mobile Communications (GSM) telephone network in the form of SMS messages, Bailey said. It is their reliance on the GSM network that makes such systems vulnerable to reverse engineering and abuse.
“Technology is a good thing for us," he said. "We can't be overly paranoid about what we're doing. But at the same time, history has shown us it's not always a good idea.”
Bailey said it took just two hours for him and Solnik to set up their own private GSM network, then figure out how to directly communicate with the in-car system by posing as an authorized server.
An attacker could easily locate other vulnerable systems on the global telephone network, he added. Once these platforms are identified, attackers can intercept the messages sent to and from such systems, then send their own messages commanding the system to send back its location or other data.
Bailey also has successfully used such techniques to compromise the consumer GPS-tracking device Zoombak, he said.