Security researchers have discovered a vulnerability in the Bosch Drivelog Connect car dongles which could enable an attacker to turn off the car’s engine.
The flaws in the dongle and the accompanying smartphone application, discovered by Israeli firm Argus Cyber Security, lets hackers circumvent authentication processes and give commands to cars.
The researchers accessed the dongle through an information leak in the authentication process which allowed them to get the PIN through a brute-force attack and connect to the dongle via Bluetooth.
“Once connected to the dongle, security holes in the message filter of the dongle enabled us to inject malicious messages into the vehicle CAN bus,” said Alexei Kovelman, a software engineer at Argus. “In our research, we were able to turn off the engine of a moving car while within Bluetooth range.
“As troubling as that is, in a more general sense, since we can use the dongle to inject malicious messages into the CAN bus, we may have been able to manipulate other ECUs on the network. If an attacker were to implement this attack method in the wild, we estimate that he could cause physical effects on most vehicles on the road today.”
Kovelman first recreated a car environment in a lab to fool the dongle into thinking it was connected to a vehicle. He did this by recording the data collected from an actual car, before replaying these responses in the external environment.
After analysing the encryption protocols on the dongle itself, the team decided to attack through the smartphone app, specifically through the message filter as the dongle doesn’t properly filter the messages it receives from the app.
In light of the vulnerability, Kovelman advises automotive manufacturers to carry out regular penetration testing, make sure products are designed with security in mind and include multi-layered security solutions.
Car security is fast becoming an extremely serious threat vector and, with the number of connected cars on the roads only continuing to rise, it’s an issue that needs to be plugged sooner rather than later.
Do you know all about security in 2017? Try our quiz!
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…