More and more devices, from smart dash cams to head-up displays to Bluetooth-enabled diagnostics dongles, are looking to tap your car’s built-in diagnostic (or OBD-II) port for power and data.
The problem: this port… really wasn’t built to be used like that. Primarily designed to be tapped occasionally to better explain that oh-so-vague “Check Engine” light, it certainly wasn’t built to be connected to an always-attached device blasting out all sorts of different wireless protocols whenever the vehicle is on.
Example A: Researchers at Argus Security have found a flaw in a commercially available Bluetooth-enabled diagnostics dongle that let them turn off the vehicle’s engine while the car was moving, as long as they were within Bluetooth range.
The dongle in question is the Bosch Drivelog Connect, a device meant to shed insight on your driving behaviors and send diagnostic information to a companion smartphone app via Bluetooth. To Bosch’s credit, the company began addressing the issue within a day of being alerted, and publicly acknowledged and outlined their fix for the issue here.
“Who cares? I’ve never even heard of that device,” you might say.
It’s a fair stance, but one that assumes that this is the only device that has this sort of flaw. Similar flaws have been found in other devices. Meanwhile, more gadgets are tapping the OBD-II port than ever — I see a new one hit my inbox every few weeks. Many of the ones I check out have obvious user-facing bugs… so it’s probably safe to assume that all the workings behind the scenes aren’t exactly flawless.
So do you need to go rip that shiny new dash cam or smart display out of your car? Probably not — but be mindful of the attack vector you’re introducing to the 4,000-pound metal box you’re cruising around in. It’s the owner’s responsibility to stay up to date on reports regarding the device’s security, and to keep the device itself up to date (a lot of these things are easy to set up and then completely forget).
More crucially, it’s up to the device makers to test the hell out of their devices, hire external firms to try to crack them and patch bugs as quickly as they responsibly can. Consider building a “red alert” notice/mandatory update into apps for the worst stuff.
If you’re interested in the specifics of the research on the aforementioned dongle, Argus has a deep breakdown of their methodology here, from disassembling the companion app, to poking holes in the device’s security, to actually shutting down one of their own vehicles while it was in motion.