Flaws in the Bosch Drivelog Connector dongle could allow hackers to halt the engine

Security experts discovered vulnerabilities in the Bosch Drivelog Connector dongle that could be exploited by hackers to stop the engine.

Security Researchers at automotive cybersecurity firm Argus discovered vulnerabilities in Bosch Drivelog Connect solution that can be exploited by hackers to inject malicious messages into a vehicle’s CAN bus.

The Bosch Drivelog Connect is the system that provides information about the state of a vehicle, it includes the Drivelog Connector dongle.

The Drivelog Connector dongle is connected to the OBD2 diagnostics interface of the vehicle, and a mobile application communicates with it via Bluetooth.

The researchers analyzed the protocol of communication between the mobile app and the dongle and identified two potentially serious vulnerabilities.

“The vulnerabilities allowed us to stop the engine of a moving vehicle using the Drivelog platform. On February 20th, 2017, in accordance with Argus’ responsible disclosure policy, upon uncovering the vulnerabilities we informed Bosch of our findings. On February 21st, 2017, Bosch’s Product Security Incident Response Team (PSIRT) contacted Argus and began addressing the issue.” reads the analysis published by Argus.

“In summary, the following two vulnerabilities were found:

• An information leak in the authentication process between the Drivelog Connector Dongle and the Drivelog Connect smartphone application.
• Security holes in the message filter in the Drivelog Connector dongle.”

One of the vulnerabilities affects the authentication process between the Drivelog Connector and the Drivelog Connect mobile app. The experts have analyzed the Android version of the mobile app.

The second flaw resides in the message filter in the Drivelog Connector dongle.

According to researchers, diagnostic messages can only be sent to the CAN bus using a valid service ID, but the attacker can use OEM-specific messages that pass the filter in order to have a physical effect on the car.

An attacker with root privileges on the driver’s mobile phone can leverage this message filter bypass to send malicious CAN messages outside of the scope a small subset of diagnostic messages (i.e., OBDII PIDs).

According to Argus, during the tests, its researchers managed to remotely stop the engine of a moving car by triggering the vulnerability.

Car vendors highlight that such kind of attack is very hard to prevent because attackers have taken over the smartphone of the legitimate driver.

Researchers from Argus have gone beyond, they devised a method to launch the attack without compromising the driver’s smartphone.

The experts discovered an information disclosure vulnerability in the authentication process between the app and the dongle that could be exploited by an attacker to connect to a targeted device without compromising the phone first.

Analyzing the authentication process, researchers discovered the dongle sends any connecting Android device various pieces of information that can be used to obtain the user-supplied authorization PIN.

The amount of data is enough to guess the PIN offline through a brute-force attack only limited in the number of possible PINs.

“Since, a Drivelog Dongle’s PIN has eight digits, there are 100 million possible PINs. A single verification requires a SHA256 calculation and a public key encryption operation. The calculations can be trivially parallelized – but the reality is, there’s no need: a modern laptop can run 100 million SHA256 computations and encryptions in roughly 30 minutes (according to independent benchmarks for the Ed25519 public-key signature system) using properly optimized software.” reads the analysis. “The time needed can be further reduced by running several brute-forcing servers in parallel.”

Once the connection has been established, the attacker can send malicious CAN bus messages from their device, instead of having to compromise the driver’s smartphone, the only limitation if that the hacker needs to be in a Bluetooth range of the targeted vehicle.

Bosch fixed the issues by introducing two-step verification in the authentication process.

“The improper authentication vulnerability in the Bluetooth communication has been mitigated by activating a two-step verification for additional users to be registered to a device. This has been implemented on the server, so no action is required by the user. To further increase security in the authentication process an application and dongle firmware update will also be released.” states the advisory published by the Bosch.

The company plans to release a firmware update for the Drivelog Connector dongle to prevent such kind of attacks.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  Bosch Drivelog Connector dongle, hacking)