Cars can be hacked by their tiny, plug-in insurance discount trackers

car obdii port hacking
Karl Koscher and Ian Foster remotely hack a Corvette by tapping into its tracker dongle -- the same used by major insurance companies.

The latest way to remotely hack a car? By tapping into one of those plug-in tracking devices from insurance companies.

In some cases, hackers can send a text message -- and disable a car's brakes, according to research presented by computer security experts on Monday.

It's a relatively simple hack. And while researchers only tested one type of device, it raises serious questions about how dangerous it is to use them at all.

Almost every car on the road right now has a computer port inside, usually underneath the steering wheel. It accesses the computer networks in your car, so mechanics can identify problems.

That information is valuable. It can tell how and when you accelerate, brake or steer.

That's why insurance companies now give their customers tiny tracking devices to plug into that port -- and offer discounts if you use them.

These device connects to the same cellular network as our mobile phones, so it can receive text messages.

Student engineers from the University of California, San Diego examined one from Mobile Devices used by auto insurer Metromile.

They discovered they could send it specially-coded text messages and remotely engage a car's brakes or disable them completely.

The good news? It only works if the car is at a slow crawl -- 5 miles per hour or less.

Perhaps worst of all, the device gets unfettered access to a car's internal controls. And they're not even hidden from the rest of the world. It's possible to find a specific car by its device's IP address or phone number.

The team of researchers presented their findings at the Usenix computer conference in Washington, D.C.

Mobile Devices did not respond to CNNMoney requests for comment. However, Stefan Savage, the college engineering professor that oversaw the research project, said that the device maker has since issued a software update.

Additionally, Metromile told CNNMoney most of the devices used by customers -- including ride-sharing service Uber -- have been fixed. All of them will be updated "by mid-August," Metromile said.

Savage stressed that we have yet to see these attacks in real life. But he did point out that his researchers didn't have to look very hard for flaws. This was merely the first model his team got their hands on.

"We take these devices far too lightly," Savage said. "This is a class of device that should be considered the same way we consider a medical device. It's a dangerous object that needs to be designed with care."

Savage now worries about how high tech flaws will be fixed. Because many of these Internet-connected devices are not considered vehicles themselves, it's unclear how the federal government could issue recalls or ensure their safety.

A bill recently introduced by U.S. Senators Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.) would require "all entry points" for cars sold in this country to "be equipped with reasonable measures to protect against hacking attacks."

Most importantly, this research is the latest sign that car hacking is a real thing.

Modern day cars are smartphones on wheels -- and just like any computer, vulnerable to hackers. As CNNMoney has investigated in the past, the computers inside cars are still pretty "dumb," and vulnerable.

Last month, another group of security researchers demonstrated how Chryslers can be hacked over the Internet. Their research forced Chrysler to recall 1.4 million cars.

Charlie Miller, one of the two Chrysler hacking researchers, explained why this latest finding is dangerous -- and why he refuses to plug any device into the OBD-II port under his car's steering wheel.

"Those dongles are inherently dangerous. They have full access," Miller said. "You're essentially giving someone direct connection to your vehicle's network. Don't plug things into that port," Miller said.

What a hacked Jeep looks like on the road
What a hacked Jeep looks like on the road

CNNMoney Sponsors