OBD-II Dongle Attack: Stopping a Moving Car via Bluetooth

Researchers from the Argus Research Team found a way to hack into the Bosch Drivelog ODB-II dongle and inject any kind of malicious packets into the CAN bus. This allowed them to, among other things, stop the engine of a moving vehicle by connecting to the dongle via Bluetooth.

Drivelog is Bosch’s smart device for collecting and managing your vehicle’s operating data. It allows a user to connect via Bluetooth to track fuel consumption and to be alerted when service is necessary. It was compromised in a two stage attack. The first vulnerability, an information leak in the authentication process, between the dongle and the smart phone application allowed them to quickly brute-force the secret PIN offline and connect to the dongle via Bluetooth. After being connected, security holes in the message filter of the dongle allowed them to inject malicious messages into the CAN bus.

The Bluetooth pairing mechanism, called “Just Works”, has been fixed by Bosh by activating a two-step verification for additional users to be registered to a device.  The second issue, the ability for a maliciously modified mobile application to possibly send unwanted CAN messages, will be mitigated with an update to the dongle firmware to further limit the allowed commands that the dongle is able to place on the CAN bus.

Bosch downplays the issue a bit in their statement:

It is important to note that scalability of a potential malicious attack is limited by the fact that such an attack requires physical proximity to the dongle. This means that the attacking device needs to be within Bluetooth range of the vehicle.

The problem is that physical proximity does not equal Bluetooth range. Standard Bluetooth range is about 10m, which is very arguable physical proximity, but it is pretty easy to buy or even modify a Bluetooth dongle with 10x and 100x more range. When adding a wireless connection to the CAN bus of an automobile, the manufacturer has an obligation to ensure the data system is not compromised. This near-proximity example is still technically a remote hack, and it’s an example of the worst kind of vulnerability.

Bil Herd Asks OBD “How Fast am I Going?”

Whenever I end up with a new vehicle I ultimately end up sticking in a new GPS/Receiver combination for better sound quality and a better GPS.

I am quite at home tearing into a dashboard as I was licensed to install CB radios in my teens as well as being the local go-to guy for 8-track stereo upgrades in the 70’s. I have spent a portion of my life laying upside down in a puddle on the car floor peering up into the mess of wires and brackets trying to keep things from dropping on my face. If you remember my post on my Datsun 280ZXT, I laid in that same position while welding in a clutch pedal bracket while getting very little welding slag on my face. I did make a note that the next time I convert a car from an automatic to a manual to do so while things are still disassembled.image15

Swapping out a factory radio usually involves choosing whether to hack into the existing factory wiring wire-by-wire, or my preference, getting a cable harness that mates with the factory plug and making an adapter out of it by splicing it to the connector that comes with the new radio.

Usually I still have to hunt down a few signals such as reverse indicator, parking brake indicator, vehicle speed sensor and the like. In my last vehicle the Vehicle Speed Sensor (VSS) wire was supposed to be in the factory harness, but driving experience showed it must not be as the GPS would show me driving 30 feet to the right of the highway. That and the calibration screen on the GPS verified that it was not receiving speed pulses.

Continue reading “Bil Herd Asks OBD “How Fast am I Going?””

Maintenance, Emissions, and Privacy: The OBD Story

The 90s were a pivotal time in world history, and 1996 was no different. You might have spent the year glued to the TV playing Super Mario 64, or perhaps you were busy campaigning for Bill Clinton or Bob Dole, or maybe you were so depressed that Princess Diana and Prince Charles divorced that you spent the whole year locked in your room, a prisoner of your own existential nihilism. Whatever you did, though, it’s likely that one major event passed you by without a thought: The standardization of on-board vehicle diagnostics (in the US), otherwise known as OBD-II.

In the 1970s, vehicles (in some western countries, at least) were subject to ever-increasing restrictions on emissions. Most companies began switching from carburetors to efficient fuel injection systems, but even that wouldn’t be enough for the new standards. Cars began to carry rudimentary computer systems to manage and control the influx of valves, meters, and sensors that became the new norm. And, as one would guess, every car company had their own standard for managing and monitoring these computer systems. Eventually they would settle on the OBD system that we have today.

Continue reading “Maintenance, Emissions, and Privacy: The OBD Story”

Raspberry Pi Adds A Digital Dash To Your Car

Looking for a way to make your older car more hi-tech? Why not add a fancy digital display? This hack from [Greg Matthews] does just that, using a Raspberry Pi, a OBD-II Consult reader and an LCD screen to create a digital dash that can run alongside (or in front of ) your old-school analog dials.

[Greg’s] hack uses a Raspberry Pi Foundation display, which includes a touch screen, so you don’t need a mouse or other controls. Node.js displays the speed, RPM, and engine temperature (check engine lights and other warnings are planned additions) through a webpage displayed using Chromium. The Node page is pulling info from another program on the Pi which monitors the CAN Consult bus. It would be interesting to adapt this to use with more futuristic displays, maybe something like a pico projector and a 1-way mirror for a heads-up display.

To power the system [Greg] is using a Mausberry power supply which draws power from your car battery, but which also cleanly shuts down the Pi when the ignition is turned off so it won’t drain your battery. When you throw in an eBay sourced OBD-II Consult reader and the Consult Dash software that [Greg] wrote to interpret and display the data from the OBD-II Consult bus, you get a decent digital dash display. Sure, it isn’t a Tesla touchscreen, but at $170, it’s a lot cheaper. Spend more and you can easily move that 60″ from your livingroom out to your hoopty and still use a Raspberry Pi.

What kind of extras would you build into this system? Gamification of your speed? Long-term fuel averaging? Let us know in the comments.

UPDATE – This post originally listed this hack as working from the OBD-II bus. However, this car does not have OBD-II, but instead uses Consult, an older data bus used by Nissan. Apologies for any confusion!

Continue reading “Raspberry Pi Adds A Digital Dash To Your Car”

Connecting Your Car to the Internet

Internet of Things? What about the Internet of Cars? It’s actually rather surprising how slow the auto industry is in developing all new vehicles to be connected to the net from the get go. Well if you can’t wait, you can always hack. [John Reimers] shows us how to use an Electric Imp combined with OBD-II to remotely monitor your vehicle.

Using the ever venerable OBD-II port on your vehicle (think USB for cars if you’re not familiar), you can pull all kinds of information off of your vehicle’s engine. Fuel economy, temperatures, load, timing, error codes, etc. There are many devices out there to do this for you, from auxiliary gauges like the ScanGauge II, to bluetooth OBD-II dongles which can send the data to your phone. Or you can build your own.

Continue reading “Connecting Your Car to the Internet”

Delicious Dash Pi Driving Data

A few weeks ago, [sentdex] described how Python has changed his life. In particular, it has allowed him to mine Bitcoin automatically, teach other people programming, and realize a full in-car computer for less than $100 using a Raspberry Pi.

It’s based on a model B, which he’s enclosed in a beefy Pi camera case  that sits on the dash of his Honda S2000. The screen is a $17 internet special with composite in, which keeps the BOM way down. A 3A switch wired into the ignition ensures that power to the Pi is not rudely interrupted.

A script takes the Pi directly into desktop mode when [sentdex] starts the car. His main goals for the project were setting up a dash cam and communicating with the OBD computer. The Pi pulls various data points including the throttle position, and the user moves through the list with the arrow keys of one of those roll-up keyboards.

In the future, he’d like to upgrade it to live graph the throttle position and add a sensor to show the brake position. Be sure to check out the walk-through/demonstration video after the break.

Continue reading “Delicious Dash Pi Driving Data”

Ceci N’est Pas Une Clock

[Justin] tipped us about his slick custom OBD-II gauge that could easily pass for an OEM module. He was able to use the clock area of his Subaru BRZ to display a bunch of information including the oil and coolant temperatures and the battery voltage.

The forum post linked above has a good FAQ-based explanation of what he did, but so many people have told him to shut up and take their money that he created an Instructable for it. Basically, he’s got a Sparkfun OBD-II UART board communicating with a pro Trinket. The display is an Adafruit OLED, which he found to be an ideal choice for all the various and sundry light conditions inside the average car.

[Justin] was able to reuse the (H)our and (M)inute buttons and reassigned them to (H)igh to show the peak reading and (M)ode to, well, switch between modes. The (:00) now resets the peak readings. He offers suggestions for acquiring the specific CAN codes for your car to make the data more meaningful. [Justin]’s code is safe in the many tentacles of Octocat, and you can check out his demo video below.

Continue reading “Ceci N’est Pas Une Clock”