Argus Cyber took over a car critical systems via Bluetooth
20 April, 2017
Bosch Drivelog Connector vulnerabilities enabled the Argus research group to take control of a moving car - and remotely stopping the engine
Argus Cyber Security experts took over a car through a Bluetooth connection. In a post uploaded on the company’s blog, it describe how its research group succeeded in remotely taking over safety-critical vehicle systems via a Bosch Drivelog Connector dongle installed in the vehicle. A vulnerability found in the authentication process between the dongle and the Drivelog Connect smartphone application, enabled Argus experts to uncover the security code and communicate with the dongle from a standard Bluetooth device, such as a smartphone or laptop.
After gaining access to the communications channel, Argus researchers were able to duplicate the message command structure and inject malicious messages into the in-vehicle network. Effectively bypassing the secure message filter that was designed to allow only specific messages. It enabled the Argus research group to take control of a moving car and remotely stopping the engine.
Drivelog Connect is an online car manager service of the Bosch subsidiary, Mobility Media GmbH. This new service informs car drivers about the condition of their vehicle. For this purpose, a special connector called Drivelog Connector is plugged into the vehicle’s OBD2 diagnostic interface. This connector can then transmit via Bluetooth any important information regarding the vehicle condition to the Drivelog Connect app installed on the user’s smartphone.
Cryptography is not enough…
“The Bosch discovery demonstrates that solutions based on cryptography, even when designed by leaders in the industry, are not foolproof and that multi-layered defenses are required to effectively protect vehicles from cyber threats,” said Yaron Galula, Argus CTO and Co-Founder.
As soon as Argus found cyber security vulnerabilities in the Bosch Drivelog Connector dongle, Bosch was duly informed. “When Argus informed us about the security gaps, we took immediate action to verify and fix the issues,” said Thorsten Kuhles, head of the Bosch Product Security Incident Response Team (PSIRT). “A patch that fixes the underlying weaknesses in the encryption protocol will be available shortly. This patch will prevent the kind of attack as described by Argus.”
Founded in 2013, Argus is headquartered in Tel-Aviv, Israel, with offices in Michigan, Silicon Valley, Stuttgart and Tokyo. It provides comprehensive suites protect connected cars and commercial vehicles against cyberattacks. The company’s costumers include car manufacturers, their Tier 1 suppliers, and aftermarket connectivity providers.
Emulating the car in the Lab
The hacking team explained how the attack was performed: “We downloaded the Drivelog Connect app, which connects to the dongle via Bluetooth and enables the driver to review vehicle health, track trip data and more. The Drivelog Connect app is available for both Android and iPhone. Due to the open nature of the Android OS, we focused on the Android version during our research.
“The first thing we had to do was get the Drivelog dongle and mobile app to work in a lab without actually being connected to a running car. Therefore, our first order of business was to recreate a car environment in order to fool the dongle into working outside an actual car. We observed the data the dongle required to function by recording and analyzing the CAN bus traffic of an actual car while the dongle was connected. Because the Drivelog Dongle supports a wide variety of car makers and models, we assumed it would only use ODBII PIDs – a small subset of standardized diagnostic messages widely supported by car OEMs.
The basic idea was simple: First, connect the dongle to a running car, identify the PID requests sent by the dongle and record the responses from the car; next, we needed to simulate a running vehicle in a lab – when the dongle sent its requests, we replayed the recorded responses from the car, which caused the dongle to behave normally. After reviewing all the PID messages sent over the CAN bus, we constructed a request-response dictionary that allowed us to emulate the normal in-vehicle messages of a car. With the dongle working in a lab environment, we then turned our attention to the Android application and after decompiling the Java binaries, we were able to start our review of the source code.”
For the complete technical details of the remote attack on the Bosch Drivelog Connector Dongle, click Here.