Bosch fixed some vulnerabilities and is working on others in its Drivelog Connect product, which could end up exploited by hackers to inject malicious messages into a vehicle’s CAN bus.
Bosch’s Drivelog Connect is a service that provides information about the condition of a vehicle, including potential defects, service deadlines, and data on fuel consumption and driving behavior.
The product includes a dongle called Drivelog Connector, which ends up connected to the car’s OBD2 diagnostics interface, and a mobile application that communicates with the dongle via Bluetooth.
What is at issue is there are serious vulnerabilities in the communications between the mobile app and the dongle, said a researcher at automotive cybersecurity firm Argus.
One of the security holes is with the authentication process between the Drivelog Connector and the Drivelog Connect smartphone app. The app is available for both iOS and Android, but experts focused on the Android application, said Alexei Kovelman in a blog post.
A second flaw affects the dongle’s message filter, he said.
Diagnostic messages can only go to the CAN bus using a valid service ID. However, this message filter can end up bypassed by sending OEM-specific messages obtained through CAN traffic monitoring or by fuzzing CAN bus messages.
An attack leveraging this message filter bypass can end up launched by a hacker who has obtained root access to the targeted user’s smartphone.
During the tests they conducted, Argus researchers managed to remotely stop the engine of a moving car by exploiting the vulnerability. They said other actions may have been possible, but that would depend on the make of the vehicle.
The attack requires root access to the Android device and a malicious patch to the mobile app. Car manufacturers have said before it is hard to stop an attack once an attacker compromises a smartphone.
Argus researchers did say they found a way to create an attack without this requirement.
An information disclosure vulnerability in the authentication process between the app and the dongle allows an attacker to connect to a targeted device without hacking the phone first.
During the authentication process, the dongle sends any connecting Android device various pieces of information that can end up used to obtain the user-supplied authorization PIN. The PIN can end up brute-forced offline — the attack takes up to 30 minutes on a modern laptop — and it can then connect to the dongle.
Once there is a connection, the attacker can send malicious CAN bus messages from their own device, instead of having to hijack the targeted user’s smartphone. The one catch about this type of assault is the attacker needs to be in Bluetooth range of the targeted vehicle.
In an advisory it published, Bosch said it addressed the authentication vulnerability on the server side by introducing two-step verification when additional users are registered to a device.
The company is also working on a firmware update for the dongle to prevent attackers from sending unauthorized CAN messages from a hijacked mobile app.