OBD-II Dongle Attack: Stopping a Moving Car via Bluetooth

[QuoVadis]

https://argus-sec.com/remote-attack-bosch-drivelog-connector-dongle/

 

In summary, the following two vulnerabilities were found:

• An information leak in the authentication process between the Drivelog Connector Dongle and the Drivelog Connect smart phone application.
• Security holes in the message filter in the Drivelog Connector dongle.

 

The information leak allowed us to quickly brute-force the secret PIN offline and connect to the dongle via Bluetooth. Once connected to the dongle, security holes in the message filter of the dongle enabled us to inject malicious messages into the vehicle CAN bus.

 

In our research, we were able to turn off the engine of a moving car while within Bluetooth range. As troubling as that is, in a more general sense, since we can use the dongle to inject malicious messages into the CAN bus, we may have been able to manipulate other ECUs on the network. If an attacker were to implement this attack method in the wild, we estimate that he could cause physical effects on most vehicles on the road today.

 

This post describes the basic setup and capabilities of the Drivelog dongle and its accompanying mobile app. We describe the research in the order in which it was carried out. That is, first we describe how we uncovered potential security holes in the message filter and then we describe how we uncovered the information leak in the authentication process between the dongle and the app. We then describe a complete attack flow.

[aelius]

Cred ca poti face multe:

• Se poate face remapping la injectie. La diesel cu rampa comuna ai undeva la 200 bars la pornirea motorului iar in sarcina, chiar si 2200 bari. Poti face remapping sa sara cu totul de acolo.
• Se poate rescrie sistemul de asistenta stabilitate + sistemul de franare (ABS / ASR / ESP)
• Se pot modifica parametrii introdusi despre dimensiunea rotilor. Ma refer la diametrul lor exterior. Aviz amatorilor care isi pun roti si fac tuning dupa ureche: ECU neavand informatii ca voi schimbati rotile si le puneti mai mari, nu mai stie sa calculeze cu exactitate distantele de franare, nu mai stie cum sa actioneze ABS-ul exact iar viteza indicata pe bord va fi total eronata.
• Se pot bloca usile + geamurile permanent (sistemul anti panica)
• Se pot aprinde/stinge orice fel de consumator (audio, lumini)
• Se pot dezactiva senzori de parcare, senzorii de lumina, senzorii de ploaie cat si unele valve (ex: egr)
• La masinile moderne se pot modifica inclusiv timpii de deschidere pentru supape.
• Se poate opri/porni motorul sau opri ventilatorul radiatorului (termocupla, etc)
• Se pot "bloca" injectoarele in pozitia deschis sau inchis.
• Se pot modifica parametrii de compensare pe injectoare cat si codurile acestora (recoding)
• Se poate modifica amestecul carburant (proportia de amestec)
• ...... cam atat ca le dau idei unora. Ah, cacat, tocmai le-am dat o parte

 

Limitari:

• Nu functioneaza cu un rahat de dongle. Probabil si autorii articolului au uitat sa specifice. Chestiile gen ELM327 sunt doar pentru citit parametrii ecu, nu si pentru scris.
• Nu se schimba parametrii "on the fly". Motorul trebuie oprit si la urmatoarea pornire va avea parametrii rescrisi.