Bosch Drivelog Connect

Vulnerabilities found in Bosch Drivelog Connect car dongles allow an attacker to bypass authentication on the device and issue commands to cars, stopping their engines.

While the latest installment of the Fast and Furious franchise makes car hacking look like a regular occurrence, cars are much harder to hack in real life, and the effects are far less dangerous.

One of the most recent studies in car security was carried out by Argus Cyber Security, an Israeli company founded for the sole purpose of tackling cyber-security in the automotive industry.

Attacker can stop car engine, possibly more

The focus of their most recent research was the Bosch Drivelog Connect, a car dongle that users connect to their automobile's OBD2 diagnostics interface.

The dongle gathers information on the car's current status, fuel consumption, error messages, and displays tips for drivers, such as the location of nearby service centers and upcoming service deadlines. The dongle sends this information to a smartphone the user has paired the dongle with via Bluetooth.

Argus researchers say they've found two issues with the smartphone-dongle connection that allow attackers to send commands to the dongle.

The attack is possible because the dongle doesn't properly filter commands it receives from the smartphone app. For example, the dongle executes some CAN messages outside of the scope a small subset of diagnostic messages (i.e., OBDII PIDs).

In Argus tests, some of these commands stopped a test car's motor, but experts say that further digging around could unearth other commands and potential attacks.

Car dongle susceptible to two attacks

There are two ways to execute this attack. The first and the easiest way is to be in the dongle's Bluetooth range. A vulnerability in the way the dongle handles device pairing allows an attacker to link his device and sends commands to the car.

The second method relies on obtaining root access on the user's phone. This attack is harder to pull off because it relies on social engineering, but once the attacker has access to the phone, he can apply a patch to the Drivelog Connect app and send messages from the user's device to the car.

In a security advisory released last week, Bosch says it mitigated the first attack by adding two-factor authentication to the device pairing process. The company's engineers are still working on a dongle firmware update that will mitigate the second attack.

Image credit: Bosch

Related Articles:

PuTTY SSH client flaw allows recovery of cryptographic private keys

Palo Alto Networks warns of PAN-OS firewall zero-day used in attacks

Telegram fixes Windows app zero-day used to launch Python scripts

Microsoft April 2024 Patch Tuesday fixes 150 security flaws, 67 RCEs

Critical Rust flaw enables Windows command injection attacks