Two vulnerabilities were identified in Bosch’s Drivelog Connect OBD-II dongle and smartphone app that allowed researchers to shut off the engine of a vehicle.
One of the issues was patched via server-side fix, Bosch said in an April 13 statement, while the other in the dongle itself will be handled in a future firmware update.
Researchers at Argus Cyber Security, a firm specializing in car security research, said the complexity in exploiting the vulnerabilities and forehand knowledge of automobile architecture somewhat mitigates the risk involved.
The vulnerabilities in the affected dongle (firmware version 4.8.0 to 4.9.2) and Drivelog Connect app (1.1.1. and below) can be paired to send unwanted messages to the CAN (Controller Area Network) bus on a vehicle that allows controllers and devices to communicate. The dongles connected to a car’s OBD-II port and are used to monitor vehicle performance and alert when service is necessary; there are commercial and consumer versions of the platform, but both contain the same vulnerabilities, Argus said.
“The first vulnerability allowed us to connect to the OBD (on-board diagnostics) without a PIN number; this happens during the pairing process between the app and the dongle,” said Ami Shalev, research team leader at Argus. “The second was found inside the dongle’s message filter and allowed us to send unintended messages to the car.”
Since the attacks are carried out over Bluetooth, an attacker must be in physical proximity of the dongle to send commands, Shalev said. The problem, he cautioned, is that this technique could have been extended to attack other electrical control units on the same network. In the wild, a large number of vehicles could be affected.
Argus researchers studied the Android version of the Bosch mobile app, which connects to the dongle over Bluetooth. Upon pairing, the app requests the dongle certificate which it then sends along with the user’s PIN to the Bosch backend server. The server replies with a pairing certificate that is verified by the dongle and eventually an encrypted channel is established between the app and device.
An attacker who pairs with the dongle would have enough information, including the certificate, public key and Mac address to try to guess the PIN offline, which Argus successfully did. This enabled them to authenticate to the dongle and send messages to the CAN bus. Messages such as these, however, are supposed to be filtered out.
“Dongles are not supposed to be designed to allow messages inside the car that are not diagnostic messages,” Shalev said. “There are message filters specifically for this; we were able to find a hole in the message filter and send unintended messages that affect the behavior of the car.”
Bosch said in its advisory that it mitigated the authentication vulnerability by activating a two-step verification process for additional users who want to register to a device.
“With the mitigation of the improper authentication vulnerability, successful exploitation of the second issue requires the compromise of the user’s information,” Bosch said. “This can only occur in connection with malicious modification of the mobile application on the user’s phone, i.e. installing of a malicious modified app not provided by BOSCH. The ability for a maliciously modified mobile application to possibly send unwanted CAN messages will be mitigated with an update to the dongle firmware to further limit the allowed commands that the dongle is able to place on the CAN bus.”
Argus praised Bosch’s design of the dongle and application and said there was clearly an intent to secure the device and communication between it and the mobile app.
“This accentuates the risk of third-party things connected to vehicles,” said Monique Lance, an executive with Argus. “This shows that even products designed with security in mind can still be hacked. Vehicles need multiple layers of security and just one layer, even cryptography, cannot be relied upon.”