That fancy smart gadget you put in your car could let hackers turn off the engine while you drive – TechCrunch
More and more devices, from smart dash cams to head-up displays to Bluetooth-enabled diagnostics dongles, are looking to tap your carâs built-in diagnostic (or OBD-II) port for power and data.
The problem: this portâ¦ really wasnât built to be used like that. Primarily designed to be tapped occasionally to better explain that oh-so-vague âCheck Engineâ light, it certainly wasnât built to be connected to an always-attached device blasting out all sorts of different wireless protocols whenever the vehicle is on.
Example A: Researchers at Argus Security have found a flaw in a commercially available Bluetooth-enabled diagnostics dongle that let themÂ turn off the vehicleâs engine while the car was moving, as long as they were within Bluetooth range.
The dongle in question is the Bosch Drivelog Connect, a device meant to shed insight on your driving behaviors and send diagnostic information to a companion smartphone app via Bluetooth. To Boschâs credit, the company began addressing the issue within a day of being alerted, and publicly acknowledged and outlined their fix forÂ the issue here.
âWho cares? Iâve never even heard of that device,â you might say.
Itâs a fair stance, but one that assumes that this is the only device that has this sort of flaw. Similar flaws have been found in other devices. Meanwhile, more gadgets are tapping the OBD-II port than ever â I see a new one hit my inbox every few weeks. Many of the ones I check out have obvious user-facing bugsâ¦ so itâs probably safe to assume that all the workings behind the scenes arenât exactly flawless.
So do you need to go rip that shiny new dash cam or smart display out of your car? Probably not â but be mindful of the attack vector youâre introducing to the 4,000-pound metal box youâre cruising around in. Itâs the ownerâs responsibility to stay up to date on reports regarding the deviceâs security, and to keep the device itself up to date (a lot of these things are easy to set up and then completely forget).
More crucially, itâs up to the device makers to test the hell out of their devices, hire external firms to try to crack them and patch bugs as quickly as they responsibly can. Consider building a âred alertâ notice/mandatory update into apps for the worst stuff.
If youâre interested in the specifics of the research on the aforementioned dongle, Argus has a deep breakdown of their methodology here, from disassembling the companion app, to poking holes in the deviceâs security, to actually shutting down one of their own vehicles while it was in motion.