Israeli firm Argus Cyber Security recently reported that it had been able to remotely “take control of a car via Bluetooth” thanks to vulnerabilities in the Bosch Drivelog Connect OBD-II dongle.
While the hack wouldn’t affect 90 percent of cars and produce an army of “zombie cars” like was pulled off by cyber-terrorist Cipher (Charlize Theron) in the eighth installment of the Fast and Furious series, Argus researchers were able to remotely kill the engine of a moving car.
Famed car-hacker Charlie Miller isn’t too worried about a Fate of the Furious type of car hacking at this point. Bad guys remotely taking control of cars by hacking may currently be something we only see done in the movies, but the CIA was interested in hacking cars for what WikiLeaks claimed could be used to pull off “nearly undetectable assassinations.”
Argus explained this remote attack as:
In our research, we were able to turn off the engine of a moving car while within Bluetooth range. As troubling as that is, in a more general sense, since we can use the dongle to inject malicious messages into the CAN bus, we may have been able to manipulate other ECUs on the network. If an attacker were to implement this attack method in the wild, we estimate that he could cause physical effects on most vehicles on the road today.
The researchers discovered two security flaws. One involved security holes in the message filter of the Drivelog Connect dongle which would allow attackers to send unauthorized messages to the car. The other was an information leak in the authentication process; it affected the “Just Works” Bluetooth pairing and authentication process between the dongle and the app.
The Drivelog Connect dongle pairs with the app and displays car diagnostics, “real-time driving behavior,” a logbook of routes, locations of service centers and a car-finder option just in case you forgot the location of where you parked.
Since the dongle certificate leaked information, an attacker could connect to the dongle and then brute-force the secret PIN offline. The PIN has eight digits, meaning there are 100 million possible PINs, but researchers said “a modern laptop can run 100 million SHA256 computations and encryptions in roughly 30 minutes.” Running multiple brute-forcing servers at the same time would make quick work of determining the PIN.
After connecting to the dongle via Bluetooth, they exploited vulnerabilities in the dongle’s message filter to inject malicious messages into the vehicle’s CAN bus.
The press release reads:
A vulnerability found in the authentication process between the dongle and the Drivelog Connect smartphone application enabled Argus researchers to uncover the security code within minutes and communicate with the dongle from a standard Bluetooth device, such as a smartphone or laptop. After gaining access to the communications channel, Argus researchers were able to duplicate the message command structure and inject malicious messages into the in-vehicle network. Effectively bypassing the secure message filter that was designed to allow only specific messages, these vulnerabilities enabled the Argus research group to take control of a moving car, demonstrated through remotely stopping the engine.
Bosch mitigated the authentication vulnerability by adding two-step verification for any additional users on a registered device. It was implemented on the server-side, so users did not need to take any action.
The Bosch advisory said, “It is important to note that scalability of a potential malicious attack is limited by the fact that such an attack requires physical proximity to the dongle. This means that the attacking device needs to be within Bluetooth range of the vehicle.”
As for the injection of malicious CAN messages, the company is working on a dongle firmware update.