6

There is an emerging class of vehicle data devices known as "Connected Car" products. Two examples are Automatic Pro and Hum, which both plug into your car's OBD-II port and are able to log info such as one's location, or even the state of the engine.

The armchair security researcher in me is horrified to see an embedded computing device such as a vehicle ECU, with virtually no security in its design, connected to the Internet. It seems that all one needs to do to cause a major accident is compromise the device and issue any type of malicious "kill" command impacting anything in the vehicle that is controlled by the ECU. Which, in most vehicles made since 1996, is nearly everything.

Are these devices actually safe to use? Are manufacturers taking the potential compromise of these units seriously? In my evaluation, this would mean disabling any way to send data to the OBD-II port, by omitting a pin or whatever else. If these devices are physically unable to send data to the vehicle's computer, I would feel more confident in their safety (absent the obvious issue of being able to spy on your location). Is such a thing even possible given the features they have?

Anders
  • 64,406
  • 24
  • 178
  • 215
Mike Nielsen
  • 163
  • 3

1 Answers1

5

Are these devices actually safe to use?

No. These devices have access to the "low speed CAN bus" and actually send out messages on the CAN-BUS. Anyone compromising your OBD-II device can send out fake messages to trick different ECU's attached to the CAN bus.

Are manufacturers taking the potential compromise of these units seriously?

Yes, but there are a few issues. Although the big manufacturers understand that there is a potential security risk, there is not much they can do about it, due to the inherent limitations of the CAN bus protocol.

In order for them to implement security without changing the CAN bus protocol the correct way would be one of the following:

  • Manufacture each ECU with a AV in the ECU from the beginning (already being done by Karamba Security)
  • Have another ECU connected to the CAN bus listening and performing DPI (being done by Argus Sec)
  • Performing statistical analytics on the CAN bus behavior and being able to differentiate between normal activity and abnormal activity (being done by Cycuro)

So you are probably asking yourself, why you are not seeing any of this being implanted?

Manufacturing companies are scared to insert new devices onto the CAN bus without proper mass testing. In order for small companies to prove their product works they need to first test it on a massive amount of cars which is not available to them because the are manufacturers scared. So it's a whole loop.

Although this may be the case, there may also be a way out of this loop, as companies like Xee and Carvoyant are providing testing kits to be given out to drivers by developers. These dev-drivers have their data collected and sent to the developers "server", and at this point the data can be used offline/off-road to perform the necessary tests.

Is such a thing even possible given the features they have?

As I mentioned above, currently that is not possible, due to the way the ODB-II protocol is set up.

Conclusion:

Manufacturers want to adopt cyber security prevention, but the market is not ready yet (but closer than ever!) and it is all up to you to make sure you secure the OBD-II enviorment with your awareness.

The attack vectors will just grow and attacks have the potential to start getting a little crazy (what about a mechanic's computer being compromised and then used to spread malware to cars through the mechanic's OBD-II device?) and we need to wait and hope for the best from the manufacturers.

You can read more about the OBD-II and CAN bus here - CAN Bus and OBD II Explained For Dummies, with Examples of how CAN Bus and OBD II Work

Vilican
  • 2,703
  • 8
  • 21
  • 35
Bubble Hacker
  • 3,615
  • 1
  • 11
  • 20
  • 2
    Great answer, I made some edits, if they don't represent your original post just roll those sucker's back. – INV3NT3D Dec 14 '16 at 19:46