Don Bailey and Matthew Solnik, researchers at iSEC Partners presented their work at the Black Hat 2011 security conference in Las Vegas, explaining how they can use an Android phone to carry out a technique they’ve dubbed “war-texting”. The new technique relies on intercepting text messages, which many devices use to send commands or even firmware (permanent software programmed into a read-only memory) updates.
By setting up a local GSM network in the vicinity of a Subaru Outback, the team were able to intercept password authentication messages sent between the electronic key fob and the vehicle. What happens next is not exactly known, because the researchers haven’t divulged all their secrets as a courtesy to the manufacturer.
However, what we do know is that intercepting those authentication messages allowed the team to understand the basic commands required to communicate with the security system of the car. Once they knew those details, they were able to send their own messages to the system in order to reverse-engineer the firmware – effectively learning how the entire device works.
From there, they could work out which commands were useful, and write their own messages to send that could unlock – and even start the engine of – the car. The whole process took them just a matter of hours. The team haven’t gone into detail about which other cars might share these vulnerabilities, but the communication devices built into the vehicle are generic items – so the chances are that the problem could be widespread.
More worryingly, their technique could be used to attack other systems. Any device that routinely recieves firmware updates via text message, such as traffic control systems and security cameras, could be fair game. Perhaps worst of all, it could also attack SCADA sensors, which are used to monitor industrial systems such as the power grid and water supplies. “I could care less if I could unlock a car door,” Don Bailey told CNN. “It’s cool. It’s sexy. But the same system is used to control phone, power, traffic systems. I think that’s the real threat.”
Though there has been no formal statement made by Subaru, Bailey has notified the manufacturer, and they are apparently taking steps to remedy the situation.