Vulnerabilities found by researchers in Bosch’s Drivelog Connect product can be exploited by hackers to inject malicious messages into a vehicle’s CAN bus. The vendor has implemented some fixes and is working on adding more attack protections.
Bosch’s Drivelog Connect is a service that provides information about the condition of a vehicle, including potential defects, service deadlines, and data on fuel consumption and driving behavior. The product includes a dongle called Drivelog Connector, which is connected to the car’s OBD2 diagnostics interface, and a mobile application that communicates with the dongle via Bluetooth.
Researchers at automotive cybersecurity firm Argus have identified some potentially serious vulnerabilities in the communications between the mobile app and the dongle.
One of the security holes is related to the authentication process between the Drivelog Connector and the Drivelog Connect smartphone app. The app is available for both iOS and Android, but experts focused on the Android application. The second flaw affects the dongle’s message filter.
According to researchers, diagnostic messages can only be sent to the CAN bus using a valid service ID. However, this message filter can be bypassed by sending OEM-specific messages that can be obtained through CAN traffic monitoring or by fuzzing CAN bus messages.
An attack leveraging this message filter bypass can be launched by a hacker who has obtained root access to the targeted user’s smartphone. During the tests they conducted, Argus researchers said they managed to remotely stop the engine of a moving car by exploiting the vulnerability. They pointed out that, depending on the make and model of the car, other actions may have been possible.
This attack scenario requires root access to the Android device and a malicious patch to the mobile app. Car manufacturers have often pointed out that it’s difficult to prevent attacks once a smartphone has been compromised.
However, Argus researchers have found a way to launch attacks without this requirement. An information disclosure vulnerability in the authentication process between the app and the dongle allows an attacker to connect to a targeted device without hacking the phone first.
During the authentication process, the dongle sends any connecting Android device various pieces of information that can be used to obtain the user-supplied authorization PIN. The PIN can be brute-forced offline – the attack takes up to 30 minutes on a modern laptop – and it can then be used to connect to the dongle.
Once the connection has been completed, the attacker can send malicious CAN bus messages from their own device, instead of having to hijack the targeted user’s smartphone. This attack is mitigated by the fact that the hacker needs to be in Bluetooth range of the targeted vehicle.
In an advisory it published this week, Bosch said it addressed the authentication vulnerability on the server side by introducing two-step verification when additional users are registered to a device. The company is also working on a firmware update for the dongle to prevent attackers from sending unauthorized CAN messages from a hijacked mobile app.