Bosch Dongle Issue: Vulnerability Remediated
Earlier this year, a vulnerability was discovered with the Bosch Drivelog. This was noted by the Argus Cyber Security Research. The hardware with this consists of a dongle connected to the OBDII port, which is only supposed to gather data regarding the vehicle’s operations (current status, fuel consumption, error messages, and other messages for the driver). As the data is collected, it is communicated to the user’s mobile application via the Bluetooth. This would be available on the Android and iOS platforms. The researchers, in this case, focused on the Android. This affects the dongle firmware with version 4.8.0 through 4.9.2 and the Drivelog app versions through and including 1.1.
In theory, the sole purpose of this would be to provide the user with the vehicle’s information. The equipment, however, can be exploited and malicious code streamed to the vehicle’s CANBus. Argus Research analyzed the communication between the dongle, connections to the vehicle, and the mobile app. There were two rather significant vulnerabilities found with this. With the first, within the communication channel there was a data leak. This led to an issue with the authentication between the dongle and mobile app. With the second, there was a lapse of security with certain portions of the dongle. In this case, there issue was specifically with the message filter.
The CANBus should only receive diagnostic messages with a valid service ID. The vulnerability allowed the attacker to send messages specific to the OEM to the CANBus, affecting the vehicle. The message format and function may be surmised by simply monitoring the CANBus traffic. The attack may be done when the attacker gains root on the user’s phone. Once this is in place, the attacker is able to bypass the filter and send the malicious messages. The attack can also be done without rooting the user’s smart phone. The vulnerability is with the authentication process with the dongle and the mobile app. The PIN has eight digits with 100M possible PINs with SHA 256. A laptop is able to run 100M SHA 256 computations and encryption in 30 minutes with the proper software. The process can be shortened further with parallel processing.
This exploit, when achieved, has serious implications for the driver and passengers. One of the more significant effects would be, while the vehicle is moving, to stop the engine. There would be more available attacks with this.
On the bright side, the attack is not scalable. With this the attacker has to be proximate to the dongle.
The issue is difficult to remediate due to the user’s phone being in the loop. The 3rd party has no interest in the phone or control. In theory, the phone could be rife with malware and viruses, and there is little the 3rd party could do to resolve this. To increase the complexity the attackers don’t necessarily need to use the phone as the vulnerable point in the attack. To remediate this however, Bosch did implement TFA, which would remove a portion of the risk.
Argus. (2017, April 14). Argus cyber security unearths security vulnerabilities in bosch’s drivelog connector dongle. Retrieved from http://telematicsnews.info/2017/04/14/argus-cyber-security-unearths-security-vulnerabilities-in-boschs-drivelog-connector-dongle/
Bosch PSIRT. (2017, April 13). Bosch drivelog connector. Retrieved from https://psirt.bosch.com/Advsory/Bosch-2017-0201.html
Cimpanu, C. (2017, April 24). Flaws in car dongle will let hackers stop your car’s engine. Retrieved from https://www.bleepingcomputer.com/news/security/flaws-in-car-dongle-will-let-hackers-stop-your-cars-engine/
King, J. (2017, April 14). Bosch patches security vulnerability in drivelog OBD-II dongle. Retrieved from http://www.leftlanenews.com/bosch-patches-drivelog-obdii-dongle-after-vulnerability-found-95511.html
Kovacs, E. (2017, April 14). Flaws in bosch car dongle allow hackers to stop engine. Retrieved from http://www.securityweek.com/flaws-bosch-car-dongle-allow-hackers-stop-engine
Kovelman, A. (2017). A remote attack on the bosch drivelog connector dongle. Retrieved from https://argus-sec.com/remote-attack-bosch-drivelog-connector-dongle/
Mimoso, M. (2017, April 19). Patched flaw in bosch diagnostic dongle allowed researchers to shut off engine. Retrieved from https://threatpost.com/patched-flaw-in-bosch-diagnostic-dongle-allowed-researchers-to-shut-off-engine/125061/
Paganini, P. (2017, April 16). Flaws in the bosch drivelog connector dongle could allow hackers to halt the engine. Retrieved from http://securityaffairs.co/wordpress/58039/hacking/flaws-bosch-drivelog.html
Tech Time. (2017, April 20). Argus cyber took over a car critical systems via Bluetooth. Retrieved from http://news.techtime.co.il/2017/04/20/argus-cyber/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.