Patched Flaw in Bosch Diagnostic Dongle Allowed Researchers to Shut Off Engine

Two vulnerabilities had been identified in Bosch’s Drivelog join OBD-II dongle and smartphone app that allowed researchers to shut off the engine of a automobile.

some of the concerns used to be patched by way of server-side repair, Bosch mentioned in an April thirteen remark, while the other within the dongle itself will be treated in a future firmware replace.

Researchers at Argus Cyber security, a firm that specialize in automobile security analysis, mentioned the complexity in exploiting the vulnerabilities and forehand data of vehicle architecture reasonably mitigates the chance concerned.

The vulnerabilities within the affected dongle (firmware version 4.8.0 to 4.9.2) and Drivelog connect app (1.1.1. and below) may also be paired to ship unwanted messages to the CAN (Controller house community) bus on a car that permits controllers and devices to keep up a correspondence. The dongles related to a automotive’s OBD-II port and are used to observe vehicle performance and alert when carrier is important; there are commercial and consumer versions of the platform, but each incorporate the identical vulnerabilities, Argus mentioned.

“the first vulnerability allowed us to connect to the OBD (on-board diagnostics) with out a PIN number; this occurs all over the pairing course of between the app and the dongle,” said Ami Shalev, analysis workforce chief at Argus. “The 2nd was once found throughout the dongle’s message filter and allowed us to send unintended messages to the auto.”

because the attacks are carried out over Bluetooth, an attacker should be in physical proximity of the dongle to send instructions, Shalev stated. the issue, he advised, is that this technique may have been prolonged to attack different electrical keep an eye on devices on the identical community. in the wild, numerous autos will be affected.

Argus researchers studied the Android version of the Bosch cellular app, which connects to the dongle over Bluetooth. Upon pairing, the app requests the dongle certificates which it then sends together with the person’s PIN to the Bosch backend server. The server replies with a pairing certificates that’s demonstrated via the dongle and sooner or later an encrypted channel is based between the app and tool.

An attacker who pairs with the dongle would have enough information, together with the certificates, public key and Mac address to check out to bet the PIN offline, which Argus efficiently did. This enabled them to authenticate to the dongle and ship messages to the CAN bus. Messages similar to these, however, are speculated to be filtered out.

“Dongles aren’t supposed to be designed to permit messages within the automotive that are not diagnostic messages,” Shalev said. “There are message filters specifically for this; we had been in a position to find a gap within the message filter and send unintended messages that affect the behavior of the car.”

Bosch stated in its advisory that it mitigated the authentication vulnerability through activating a two-step verification course of for additional customers who need to register to a device.

“With the mitigation of the improper authentication vulnerability, successful exploitation of the 2nd issue requires the compromise of the consumer’s knowledge,” Bosch stated. “this may best happen in connection with malicious change of the mobile software on the consumer’s cellphone, i.e. installing of a malicious modified app no longer provided via BOSCH. the ability for a maliciously modified mobile application to probably ship unwanted CAN messages shall be mitigated with an replace to the dongle firmware to further restrict the allowed instructions that the dongle is ready to location on the CAN bus.”

Argus praised Bosch’s design of the dongle and software and stated there was evidently an intent to steady the device and conversation between it and the cell app.

“This accentuates the danger of third-birthday party issues connected to vehicles,” said Monique Lance, an govt with Argus. “This displays that even products designed with safety in thoughts can nonetheless be hacked. automobiles need a couple of layers of safety and only one layer, even cryptography, can’t be relied upon.”

Threatpost the primary cease for security news