Published: November 10, 2014 | Tel Aviv, Israel
Argus Cyber Security has reported a security vulnerability in Zubie’s connected car device. As part of their on-going study in aftermarket in-car devices, Argus’ researchers Ron Ofir and Ofer Kapota stumbled upon a substantial cyber security vulnerability in the Zubie connected car service. This finding could allow an attacker to wirelessly and remotely influence a vehicle’s mission critical components such as the engine, brakes steering and others. After being duly notified by Argus, Zubie took decisive and swift action in fixing the problem, as it relates to consumer safety.
“Argus’ mission is to promote car connectivity with zero compromise on safety and security. Once we detected Zubie’s security gap we duly notified Zubie with full details of our findings as required by our responsible disclosure policy. I was pleased to see both companies view customers’ safety a top priority, as evident by Zubie’s immediate action to fix the problem.”
— Ofer Ben-Noon, co-founder and CEO at Argus
The device is based on a Telit GE865 chip that provides the cellular connectivity and also provides a Python interpreter that enables users to run the actual application directly on the module. The first thing we’ve noticed about the Zubie device is that it had a port that looked like some kind of a maintenance port, embedded inside the OBD-II port (see image below).
After reading the source codes of Zubie’s device, that were reportedly found after decompiling th AT Commands, the Argus learned that this the communication protocol supported remote over-the-air updates to the Zubie device. Since the entire communication was based on the non-secure HTTP protocol, the device was not verifying the authenticity of its control server. In addition, the downloaded software updates were not digitally signed. This means an attacker who was able to take over the server or its DNS address and could send malicious software updates to the in-vehicle device. One practical method of taking over the DNS address is to hijackthe GPRS cellular connection between the device and its server by setting up a rogue base station and performing what’s commonly referred to as a “Man-In-The-Middle” attack.
Once taken over, the Zubie device may have enabled an attacker to remotely take control of a Zubie equipped vehicle from anywhere in the world. Up till now awareness to cyber security issues in the automotive industry has been limited and definitely did not receive the same attention cyber security has received in other industry sectors. The case we brought here is just one out of potentially many and there will always be new vulnerabilities out there.
More technical information could be found here.