Researchers from the Argus research team found a way to hack into the Bosch Drivelog ODB-II dongle and inject any kind of malicious packets into the CAN bus. This allowed them to, among other things, stop the engine of a moving automobile by connecting to the dongle by means of Bluetooth.
Drivelog is Bosch’s smart device for collecting and managing your vehicle’s operating data. It allows a user to connect by means of Bluetooth to track fuel consumption and to be informed when service is necessary. It was compromised in a two stage attack. The first vulnerability, an information leak in the authentication process, between the dongle and the smart phone application allowed them to swiftly brute-force the secret PIN offline and connect to the dongle by means of Bluetooth. After being connected, safety holes in the message filter of the dongle allowed them to inject malicious messages into the CAN bus.
The Bluetooth pairing mechanism, called “Just Works”, has been fixed by Bosh by activating a two-step verification for additional users to be registered to a device. The second issue, the ability for a maliciously modified mobile application to possibly send unwanted CAN messages, will be mitigated with an update to the dongle firmware to additionally limit the allowed commands that the dongle is able to place on the CAN bus.
Bosch downplays the issue a bit in their statement:
It is crucial to note that scalability of a potential malicious attack is limited by the fact that such an attack requires physical proximity to the dongle. This indicates that the attacking device needs to be within Bluetooth range of the vehicle.
The problem is that physical proximity does not equal Bluetooth range. standard Bluetooth range is about 10m, which is very arguable physical proximity, but it is pretty easy to get or even modify a Bluetooth dongle with 10x and 100x a lot more range. When adding a wireless connection to the CAN bus of an automobile, the maker has an obligation to make sure the data system is not compromised. This near-proximity example is still technically a remote hack, and it’s an example of the worst kind of vulnerability.