OBD-II Dongle Attack: Stopping a Moving Car via Bluetooth

Researchers from the Argus Research Team found a way to hack into the Bosch Drivelog ODB-II dongle and inject any kind of malicious packets into the CAN bus. This allowed them to, among other things, stop the engine of a moving vehicle by connecting to the dongle via Bluetooth.

Drivelog is Bosch’s smart device for collecting and managing your vehicle’s operating data. It allows a user to connect via Bluetooth to track fuel consumption and to be alerted when service is necessary. It was compromised in a two stage attack. The first vulnerability, an information leak in the authentication process, between the dongle and the smart phone application allowed them to quickly brute-force the secret PIN offline and connect to the dongle via Bluetooth. After being connected, security holes in the message filter of the dongle allowed them to inject malicious messages into the CAN bus.

The Bluetooth pairing mechanism, called “Just Works”, has been fixed by Bosh by activating a two-step verification for additional users to be registered to a device.  The second issue, the ability for a maliciously modified mobile application to possibly send unwanted CAN messages, will be mitigated with an update to the dongle firmware to further limit the allowed commands that the dongle is able to place on the CAN bus.

Bosch downplays the issue a bit in their statement:

It is important to note that scalability of a potential malicious attack is limited by the fact that such an attack requires physical proximity to the dongle. This means that the attacking device needs to be within Bluetooth range of the vehicle.

The problem is that physical proximity does not equal Bluetooth range. Standard Bluetooth range is about 10m, which is very arguable physical proximity, but it is pretty easy to buy or even modify a Bluetooth dongle with 10x and 100x more range. When adding a wireless connection to the CAN bus of an automobile, the manufacturer has an obligation to ensure the data system is not compromised. This near-proximity example is still technically a remote hack, and it’s an example of the worst kind of vulnerability.

A Solar-Powered Headset From Recycled Parts

Solar power has surged ahead in recent years, and access for the individual has grown accordingly. Not waiting around for a commercial alternative, Instructables user [taifur] has gone ahead and built himself a solar-powered Bluetooth headset.

Made almost completely of recycled components — reducing e-waste helps us all — only the 1 W flexible solar panel, voltage regulator, and the RN-52 Bluetooth module were purchased for this project. The base of the headset has been converted from [taifur]’s old wired one, meanwhile a salvaged boost converter, and charge controller — for a lithium-ion battery — form the power circuit. An Apple button makes an appearance alongside a control panel for a portable DVD player (of all things), and an MP4 player’s battery. Some careful recovery and reconfiguration work done, reassembly with a little assistance from the handyman’s secret weapon — duct tape — and gobs of hot glue bore a wireless fruit ready to receive the sun’s bounty.

Continue reading “A Solar-Powered Headset From Recycled Parts”

Taking A Robot For A Drive

Instructables user [Roboro] had a Mad Catz Xbox steering wheel controller he hasn’t had much use for of late, so he decided to hack and use it as a controller for a robot instead.

Conceivably, you could use any RC car, but [Roboro] is reusing one he used for a robot sumo competition a few years back. Cracking open the controller revealed a warren of wires that were — surprise, surprise — grouped and labelled, making for a far less painful hacking process. Of course, [Roboro] is only using the Xbox button for power, the player-two LED to show the connection status, the wheel, and the pedals, but knowing which wires are which might come in handy later.

An Arduino Uno in the wheel and a Nano in the robot are connected via CC41-A Bluetooth modules which — despite having less functionality than the HM10 module they’re cloned from — perform admirably. A bit of code and integration of a SN754410 H-bridge motor driver — the Arduino doesn’t supply enough current to [Roboro]’s robot’s motors — and the little robot’s ready for its test drive.

Continue reading “Taking A Robot For A Drive”

Reverse Engineering Enables Slick Bluetooth Solution for Old Car Stereo

Those of us who prefer to drive older cars often have to make sacrifices in the entertainment system department to realize the benefits of not having a car payment. The latest cars have all the bells and whistles, while the cars of us tightwads predate the iPod revolution and many lack even an auxiliary input jack. Tightwads who are also hackers often remedy this with conversion projects, like this very slick Bluetooth conversion on a Jeep radio.

There are plenty of ways to go about piping your favorite tunes from a phone to an old car stereo, but few are as nicely integrated as [Parker Dillmann]’s project. An aftermarket radio of newer vintage than the OEM stereo in his 1999 Jeep would be one way to go, but there’s no sport in that, and besides, fancy stereos are easy pickings from soft-top vehicles. [Parker] was so determined to hack the original stereo that he bought a duplicate unit off eBay so he could reverse engineer it on the bench. What’s really impressive is the way [Parker] integrates the Bluetooth without any change to OEM functionality, which required a custom PCB to host an audio level shifter and input switch. He documents his efforts very thoroughly in the video after the break, but fair warning of a Rickroll near the end.

So many of these hacks highjack the tape deck or CD input, but thanks to his sleuthing and building skills, [Parker] has added functionality without sacrificing anything.

Continue reading “Reverse Engineering Enables Slick Bluetooth Solution for Old Car Stereo”

No-Etch: The Proof in the Bluetooth Pudding

In a previous episode of Hackaday, [Rich Olson] came up with a new no-etch circuit board fabrication method. And now, he’s put it to the test: building an nRF52 Bluetooth reference design, complete with video, embedded below.

The quick overview of [Rich]’s method: print out the circuit with a laser printer, bake a silver-containing glue onto the surface, repeat a few times to get thick traces, glue the paper to a substrate, and use low-temperature solder to put parts together. A potential drawback is the non-negligible resistance for the traces, but a lot of the time that doesn’t matter and the nRF52 reference design proves it.

The one problem here may be the trace antenna. [Rich] reports that it sends out a weaker-than-expected signal. Any RF design folks want to speculate wildly about the cause?

Continue reading “No-Etch: The Proof in the Bluetooth Pudding”

Awesome Prank or Circuit-Breaker Tester?

Many tools can be used either for good or for evil — it just depends on the person flipping the switch. (And their current level of mischievousness.) We’re giving [Callan] the benefit of the doubt here and assuming that he built his remote-controlled Residual Current Device (RDC) tripper for the purpose of testing the safety of the wiring in his own home. On the other hand, he does mention using it to shut off all the power in his house during an “unrelated countdown at a party”. See? Good and evil.

An RCD (or GFCI in the States) is a kind of circuit breaker that trips when the amount of current in the hot and neutral mains power lines aren’t equal and opposite, which would suggest that the juice was leaking out somewhere, hopefully not through someone. They only take a few milliamps of imbalance to blow so that nobody gets hurt. Making a device to test an RCD is easy; a resistor between hot and the protective ground circuit would do.

[Callan] over-engineers. He used a 50 W resistor where 30 W would do under the worst circumstances. A stealthy solid-state relay switches the resistor in, driven by an Uno and a Bluetooth module, so he can trip his circuit breakers from his smartphone, naturally.
Continue reading “Awesome Prank or Circuit-Breaker Tester?”

Reprogramming Bluetooth Headphones for Great Justice

Like a lot of mass-produced consumer goods, it turns out that the internal workings of Bluetooth headphones are the same across a lot of different brands. One common Bluetooth module is the CSR8645, which [lorf] realized was fairly common and (more importantly) fairly easy to modify. [lorf] was able to put together a toolkit to reprogram this Bluetooth module in almost all of these headphones.

This tip comes to us from [Tigox] who has already made good use of [lorf]’s software. Using the toolkit, he was able to reprogram his own Bluetooth headphones over a USB link to his computer. After downloading and running [lorf]’s program, he was able to modify the name of the device and, more importantly, was able to adjust the behavior of the microphone’s gain which allowed him to have a much more pleasant user experience.

Additionally, the new toolkit makes it possible to flash custom ROMs to CSR Bluetooth modules. This opens up all kinds of possibilities, including the potential to use a set of inexpensive headphones for purposes other than listening to music. The button presses and microphones can be re-purposed for virtually any task imaginable. Of course, you may be able to find cheaper Bluetooth devices to repurpose, but if you just need to adjust your headphones’ settings then this hack will be more useful.

[Featured and Thumbnail Image Source by JLab Audio LLC – jlabaudio.com, CC BY-SA 4.0]