Flaw in Car Dongle Allows Hackers to Control Engine

  • 665
  •  
  •  
  •  
  •  
  •  
  •  
    665
    Shares

Researchers found vulnerabilities in Bosch’s Drivelog Connect product which can be exploited by hackers to inject some malicious messages into the vehicle’s CAN bus. The vendor has already implemented some fixes and they are working on adding some more attack protections.

The Bosch’s Drivelog Connect is a service which provides information about condition of a vehicle, which includes service deadlines, potential defects, and data on the fuel consumption and the driving behaviour. The product also includes a dongle named Drivelog Connector, which is connected to car’s OBD2 diagnostics interface, and also a mobile application which communicates with the dongle using a Bluetooth.

The researchers at the automotive cyber security firm Argus have found some very serious vulnerabilities in the communications between the dongle and the mobile app.

One of these security holes is also related to authentication process between the Drivelog Connect smartphone app and the Drivelog Connector. The app is available for both Android and iOS, but experts have focused on Android application. The second flaw affects dongle’s message filter.

According to the researchers, the diagnostic messages can only be sent to CAN bus by a valid service ID. But, this message filter can also be bypassed by sending some OEM-specific messages that can be obtained through the CAN traffic monitoring or by fuzzing the CAN bus messages.

An attack leveraging this message filter bypass can be launched by a hacker who has obtained root access to the targeted user’s smartphone. During tests which they have conducted, the Argus researchers said that they have managed to remotely stop the engine of a moving car by exploiting these vulnerabilities. They also pointed out that, depending on the make and model of the car, other actions may have been possible.

This attack scenario requires root access to the Android device and a malicious patch to the mobile app. Car manufacturers have often pointed out that it’s difficult to prevent attacks once a smartphone has been compromised.

 

The following two tabs change content below.
Avatar

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]
Avatar

Latest posts by Unallocated Author (see all)

Avatar

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Do NOT follow this link or you will be banned from the site!