| Recurring |
one_organization, multiple_organization |
(a) In the articles, it is mentioned that the vulnerability related to the OBD2 dongles used for monitoring vehicles' location, speed, and efficiency was exploited by researchers at the University of California at San Diego in collaboration with the insurance startup Metromile [38900, 38980]. The dongles were found to have serious security deficiencies, allowing attackers to wirelessly access critical driving functions of vehicles. Metromile, the distributor of the dongles, responded to the vulnerability by issuing a security patch to all devices. However, the researchers found that thousands of still-hackable Mobile Devices dongles were visible, mostly in Spain, indicating that the issue may not have been completely resolved [38900, 38980].
(b) The articles also highlight that the problem of wirelessly hackable dongles plugged into cars' networks is not limited to Metromile or Mobile Devices. Other organizations, such as the insurance company Progressive offering similar telematics-based insurance using OBD2 plug-ins called the Snapshot, and the cybersecurity firm Argus with the Zubie OBD2 device, have also faced vulnerabilities in their products [38900, 38980]. This suggests that similar incidents of software vulnerabilities in OBD2 dongles have occurred across multiple organizations offering similar services. |
| Phase (Design/Operation) |
design, operation |
(a) The articles discuss a software failure incident related to the design phase. The incident involved vulnerabilities in internet-enabled gadgets plugged into cars' sensitive systems, such as the CAN bus, which controls the physical driving components. Researchers from the University of California at San Diego discovered security deficiencies in these gadgets, particularly in OBD2 dongles used by companies like Metromile and Mobile Devices. These dongles had multiple security flaws, including developer mode enabled, storing the same private key on every device, and accepting commands via SMS with virtually no authentication. This design flaw allowed hackers to wirelessly access and control critical driving functions of vehicles [38900, 38980].
(b) The articles also mention a software failure incident related to the operation phase. The vulnerability in the telematics dongles, particularly those distributed by Metromile and Mobile Devices, allowed hackers to exploit the devices by sending SMS instructions to a specific phone number. This operation-related failure enabled the researchers to take control of a Chevrolet Corvette, activating wipers, engaging brakes, and even disabling brakes at low speeds. The insecure configuration of the dongles, distributed to end-users in a "developer mode" with the same private keys stored insecurely on every device, made the operation of these devices susceptible to intrusion and manipulation [38900, 38980]. |
| Boundary (Internal/External) |
within_system, outside_system |
From the provided articles, the software failure incident related to the vulnerability of OBD2 dongles used in cars can be categorized as both within_system and outside_system.
1. **Within_system**: The vulnerability and security flaws in the OBD2 dongles themselves, such as having developer mode enabled, storing the same private key on every device, and accepting commands via SMS with virtually no authentication, are factors originating from within the system [38900, 38980].
2. **Outside_system**: The external factor contributing to the software failure incident is the potential insecurity of internet-enabled gadgets plugged into cars' sensitive systems. These gadgets, like the OBD2 dongles, are external devices that connect to the car's internal network and can be exploited by hackers to wirelessly access critical driving functions [38900, 38980]. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident occurring due to non-human actions:
- The software failure incident in the articles was primarily due to vulnerabilities in internet-enabled gadgets plugged into cars' sensitive systems, such as OBD2 dongles [38900, 38980].
- Researchers were able to wirelessly hack into vehicles through a tiny commercial device by sending carefully crafted SMS messages, enabling them to control critical driving functions like brakes and windshield wipers [38900].
- The vulnerabilities in the devices allowed for remote control of various vehicle components without human intervention, showcasing a non-human action leading to the software failure incident [38900, 38980].
(b) The software failure incident occurring due to human actions:
- The software failure incident was exacerbated by human actions such as the distribution of insecure telematics dongles by companies like Mobile Devices and Metromile [38900, 38980].
- The devices were distributed in a "developer mode" with the same private keys stored insecurely on every device, leaving them open to intrusion once reverse engineered, indicating a human action contributing to the vulnerability [38980].
- While patches were implemented after the vulnerability was discovered, the incident highlights the importance of considering the security of devices connected to vehicles, emphasizing the role of human decision-making in ensuring software security [38900, 38980]. |
| Dimension (Hardware/Software) |
hardware, software |
(a) The software failure incident occurring due to hardware:
- The incident involved a vulnerability in OBD2 dongles, which are hardware devices plugged into cars' dashboards to monitor vehicles' location, speed, and efficiency [38900].
- The vulnerability in the dongles allowed hackers to wirelessly access critical driving functions like brakes and steering through the dongles connected to the car's CAN bus, which controls its physical driving components [38900].
- The dongles had security deficiencies such as having the "developer" mode enabled, storing the same private key on every device, and accepting commands via SMS with virtually no authentication, making them vulnerable to attacks [38900].
- The vulnerability was not limited to a specific car model, as the researchers demonstrated the attack on a Chevrolet Corvette but mentioned that the issue could apply to practically any modern vehicle with the vulnerable dongles plugged into their dashboards [38900].
- The dongles were distributed by companies like Metromile and Mobile Devices, and while patches were issued for some devices, thousands of potentially vulnerable dongles from other distributors were still visible online [38900].
(b) The software failure incident occurring due to software:
- The incident involved software vulnerabilities in the OBD2 dongles, allowing hackers to exploit security flaws in the software of the dongles to remotely control various functions of the connected vehicles [38900].
- The dongles were configured to accept commands via SMS with almost no authentication, indicating a software flaw in the design of the devices [38900].
- The researchers reverse-engineered the dongles and found multiple security bugs in the software, including the ability to rewrite firmware or issue commands to the connected car by sending texts to the devices from a specific phone number [38900].
- The vulnerability in the software of the dongles allowed for remote exploits and potential control over critical vehicle components like steering and brakes [38900].
- While patches were issued for some devices, concerns remained about the overall security of wirelessly hackable dongles plugged into cars' networks, indicating ongoing software-related vulnerabilities [38900]. |
| Objective (Malicious/Non-malicious) |
malicious, non-malicious |
(a) The software failure incident described in the articles is malicious in nature. Researchers from the University of California at San Diego demonstrated how they could wirelessly hack into vehicles through insecure internet-enabled gadgets plugged into cars' dashboards, allowing them to remotely control critical driving functions such as brakes, steering, and transmission [38900, 38980]. The vulnerabilities in the devices allowed for malicious commands to be sent via SMS messages, enabling attackers to take control of the vehicles' physical components [38900, 38980]. The incident involved exploiting security deficiencies in the devices to gain unauthorized access and manipulate the vehicles, indicating a malicious intent to harm the system.
(b) The software failure incident is non-malicious as well. The vulnerabilities in the devices used for monitoring vehicles' location, speed, and efficiency were not intentionally introduced to harm the system but rather stemmed from security deficiencies in the design and implementation of the gadgets [38900, 38980]. The incident highlighted the risks associated with using insecure telematics dongles that could leave vehicles vulnerable to hacking, emphasizing the importance of considering the security of devices connected to vehicles [38900, 38980]. The vulnerabilities were not created with the intent to harm the system but rather resulted from inadequate security measures in the devices. |
| Intent (Poor/Accidental Decisions) |
poor_decisions |
(a) The software failure incident described in the articles can be attributed to poor_decisions. The incident involved the exploitation of vulnerabilities in internet-enabled gadgets plugged into cars' sensitive systems, such as the OBD2 dongles used by insurance firms and trucking fleets to monitor vehicles [38900, 38980]. These gadgets had security deficiencies, including developer mode being enabled, storing the same private key on every device, and accepting commands via SMS with virtually no authentication. The vulnerabilities allowed hackers to wirelessly access critical driving functions, such as controlling the brakes, steering, and transmission of vehicles. Despite being notified of the vulnerabilities, the companies involved did not address the security issues adequately, leaving thousands of vehicles at risk of being hacked [38900, 38980]. |
| Capability (Incompetence/Accidental) |
development_incompetence |
(a) The software failure incident occurring due to development incompetence:
- The incident described in the articles is related to a software failure caused by development incompetence. The vulnerability in the OBD2 dongles, particularly those distributed by Mobile Devices and used by companies like Metromile, was due to multiple security deficiencies introduced during the development process [38900, 38980].
- The dongles were found to have serious security bugs such as having "developer" mode enabled, storing the same private key on every device, and accepting commands via SMS with virtually no authentication, indicating a lack of professional competence in ensuring secure development practices [38900, 38980].
- The researchers highlighted that the vulnerabilities in the dongles could have allowed hackers to remotely control various critical driving components of vehicles, demonstrating a lack of proper security measures during the development of the software and hardware components [38900, 38980].
(b) The software failure incident occurring accidentally:
- The incident described in the articles is not related to a software failure occurring accidentally. Instead, it is attributed to intentional actions by hackers who exploited the vulnerabilities in the OBD2 dongles to wirelessly hack into vehicles [38900, 38980].
- The researchers conducted deliberate attacks to demonstrate the potential risks associated with the insecure dongles, indicating that the software failure incident was a result of intentional exploitation rather than accidental factors [38900, 38980]. |
| Duration |
temporary |
The software failure incident described in the articles can be categorized as a temporary failure. The vulnerability in the OBD-II dongles used for monitoring drivers' behavior allowed hackers to wirelessly access critical driving functions in vehicles, such as activating wipers, engaging brakes, and even disabling brakes at low speeds [38900, 38980]. The incident was temporary in nature as it was caused by specific vulnerabilities in the dongles and the way they received and executed commands, rather than being a permanent failure affecting all circumstances. The vulnerability was addressed through security patches delivered wirelessly to the affected devices by the companies involved [38900]. |
| Behaviour |
omission, other |
(a) crash: The articles describe a software failure incident where researchers were able to wirelessly hack into vehicles through insecure dongles plugged into the cars' dashboards. They were able to transmit commands to the car's CAN bus, turning on windshield wipers and even enabling or disabling brakes. The researchers demonstrated these proof-of-concept attacks on a 2013 Corvette, affecting its windshield wipers and brakes [38900].
(b) omission: The software failure incident involved the vulnerability of OBD-II dongles that were distributed to monitor vehicles' location, speed, and efficiency. These dongles were found to have security deficiencies, allowing hackers to remotely control various components of the connected vehicles. The incident highlighted the omission of proper security measures in these devices, leaving them open to intrusion and manipulation [38900, 38980].
(c) timing: The incident did not involve a timing failure where the system performed its intended functions either too late or too early.
(d) value: The software failure incident did not involve a failure where the system performed its intended functions incorrectly.
(e) byzantine: The software failure incident did not involve a byzantine failure where the system behaved erroneously with inconsistent responses and interactions.
(f) other: The software failure incident can be categorized as a security vulnerability leading to unauthorized access and control of critical driving functions in vehicles through insecure dongles. This behavior falls under the category of a security breach or vulnerability exploit [38900, 38980]. |