malicious app, the buffer overflow condition can be exploited to take over the ECU responsible
for handling the Bluetooth functionality.
In the case of a direct attack (without access to an already paired device), the researchers
portray a scenario in which an attacker who is within the vicinity of the car can “sniff” the
car’s Bluetooth MAC address and surreptitiously pair a new device with the car. To pair a new
device, the user normally has to explicitly enable pairing mode. As mentioned previously,
when the driver does this, the car displays a six-digit PIN that the driver must enter on the
device. However, the researchers found that the car they were analyzing would pair with new
devices even when pairing mode was not requested. However, the car would not display the
PIN, so the researchers suggested a brute-force scenario whereby an attacker would try all pos-
sible combinations (000000–999999). The researchers noted that they were able to brute-
force the PIN in an average of 10 hours. Once the attacker’s device is paired, the attacker can
launch the malicious app on that device, exploiting the known buffer overflow condition and
taking over the ECU. The researchers acknowledged that 10 hours is a long time, because the
car would have to be running for the duration of the attack. However, in one case they were
able to guess the PIN in just a quarter of an hour, and they presented a scenario in which a
potential attacker in a parking garage could parallelize this attack vector and simultaneously
target multiple cars to increase the odds of success.
Vulnerabilities in Telematics
Many cars contain cellular radio equipment that is used to connect the cars to a cellular net-
work. One popular example of this is General Motors’ OnStar, which provides many features
to the drivers and passengers, including contacting call centers during an emergency. As part
of this service, the system can track the car’s location and relay it to the call centers during an
accident so that assistance can be automatically dispatched. The system also provides features
such as stolen vehicle tracking, and even allows the call centers to remotely slow down a sto-
len vehicle. The computer responsible for handling this cellular communication is known as
the telematics ECU.
In their whitepaper, Miller and Valasek state the following opinion on telematics ECUs:
This is the holy grail of automotive attacks since the range is quite broad (i.e. as long as the car can
have cellular communications). Even though a telematics unit may not reside directly on the CAN
bus, it does have the ability to remotely transfer data/voice, via the microphone, to another loca-
tion. Researchers previously remotely exploited a telematics unit of an automobile without user
interaction.
A successful attack against the telematics system would indeed be the most impactful
since, given that many of the telematics systems have an actual cellular phone number that
can receive incoming connections, the scenario allows for attackers to remotely break into cars
from anywhere in the world. The researchers from UC San Diego and the University of Wash-
EXPLOITING WIRELESS CONNECTIVITY 167