Posted on by Vulnerability Discoveryin
We worked with DHS US-CERT and the Department of Transportations' Volpe Center to study aftermarket on-board diagnostic (OBD-II) devices to understand their cybersecurity impact on consumers and the general public.
To that end, we've been looking at the security of aftermarket devices that connect to your car via its OBD-II port, which provides access to many of the car's internal networks. These devices are becoming increasingly popular and are accessed by usage-based insurance companies, fleet managers, and consumers.
Several of these devices have already been shown to be susceptible to hacking, such as the Zubie, Progressive Snapshot, and Metromile. We investigated the security of a representative sample of these devices, both to warn consumers of problems and to inform government fleet management personnel who are acquiring them.
Unfortunately, the bar for security in these types of devices seems pretty low. We examined eight of them and reviewed the documentation of quite a few others and found common architectural and implementation problems. Many of these devices simply pass any serial data from a radio interface (Bluetooth, WiFi, or cellular) to the OBD-II port of the car, and from there to the vehicle's CAN bus.
If this data is not sanitized, an attacker who controls the device could send arbitrary commands to the car's brakes, steering, accelerator and other important safety components, as was shown in several demonstrations by Chris Valasek and Charlie Miller recently.
There is a caveat to these risks--many of them require physical proximity (Wireless or Bluetooth range) to attack. The most likely attack vector may be a compromised mobile device in the car (phone, tablet, laptop) used to gain and maintain access to the vehicle. It helps that cars are complex and vary widely between makes and manufacturers, so weaponizing exploits is more difficult than for, say, a commonly used operating system. However, exploit kits will likely become more common as attackers reverse engineer various types of cars.
The details of our investigation can be found in our report, On Board Diagnostics: Risks and Vulnerabilities of the Connected Vehicle. We hope this helps you, other consumers, fleet managers and manufacturers better understand the potential risks of these devices.