Remotely Controlling Automobiles Via Insecure Dongles

Zubie

Automobiles are getting smarter and smarter. Nowadays many vehicles run on a mostly drive-by-wire system, meaning that a majority of the controls are electronically controlled. We’re not just talking about the window or seat adjustment controls, but also the instrument cluster, steering, brakes, and accelerator. These systems can make the driving experience better, but they also introduce an interesting avenue of attack. If the entire car is controlled by a computer, then what if an attacker were to gain control of that computer? You may think that’s nothing to worry about, because an attacker would have no way to remotely access your vehicle’s computer system. It turns out this isn’t so hard after all. Two recent research projects have shown that some ODBII dongles are very susceptible to attack.

The first was an attack on a device called Zubie. Zubie is a dongle that you can purchase to plug into your vehicle’s ODBII diagnostic port. The device can monitor sensor data from your vehicle and them perform logging and reporting back to your smart phone. It also includes a built-in GPRS modem to connect back to the Zubie cloud. One of the first things the Argus Security research team noticed when dissecting the Zubie was that it included what appeared to be a diagnostic port inside the ODBII connector.

Online documentation showed the researchers that this was a +2.8V UART serial port. They were able to communicate over this port with a computer with minimal effort. Once connected, they were presented with an AT command interface with no authentication. Next, the team decompiled all of the Python pyo files to get the original scripts. After reading through these, they were able to reverse engineer the communication protocols used for communication between the Zubie and the cloud. One particularly interesting finding was that the device was open for firmware updates every time it checked in with the cloud.

The team then setup a rogue cellular tower to perform a man in the middle attack against the Zubie. This allowed them to control the DNS address associated with the Zubie cloud. The Zubie then connected to the team’s own server and downloaded a fake update crafted by the research team. This acted as a trojan horse, which allowed the team to control various aspects of the vehicle remotely via the cellular connection. Functions included tracking the vehicle’s location, unlocking hte doors, and manipulating the instrument cluster. All of this can be done from anywhere in the world as long as the vehicle has a cellular signal.

A separate but similar project was also recently discussed by [Corey Thuen] at the S4x15 security conference. He didn’t attack the Zubie, but it was a similar device. If you are a Progressive insurance customer, you may know that the company offers a device that monitors your driving habits via the ODBII port called SnapShot. In exchange for you providing this data, the company may offer you lower rates. This device also has a cellular modem to upload data back to Progressive.

After some research, [Thuen] found that there were multiple security flaws in Progressive’s tracker. For one, the firmware is neither signed nor validated. On top of that, the system does not authenticate to the cellular network, or even encrypt its Internet traffic. This leaves the system wide open for a man in the middle attack. In fact, [Thuen] mentions that the system can be hacked by using a rogue cellular radio tower, just like the researchers did with the Zubie. [Thuen] didn’t take his research this far, but he likely doesn’t have too in order to prove his point.

The first research team provided their findings to Zubie who have supposedly fixed some of the issues. Progressive has made a statement that they hadn’t heard anything from [Thuen], but they would be happy to listen to his findings. There are far more devices on the market that perform these same functions. These are just two examples that have very similar security flaws. With that in mind, it’s very likely that others have similar issues as well. Hopefully with findings like this made public, these companies will start to take security more seriously before it turns into a big problem.

[Thanks Ellery]

56 thoughts on “Remotely Controlling Automobiles Via Insecure Dongles

  1. One would think that after the hotel room card lock hack that companies making stuff like this would not leave wide open avenues of access.

    But nooo. They naively assume that only their technical and service people will ever be using those local or remote methods of reading or writing data in the device.

  2. things like this are why those insurance company dongles need to be legislated out of existance. time and time again we’ve seen that corporations dont know how to or care to secure their shit before releasing it to the public.

    1. I’m pretty sure the insurance companies would figure it out once some guy on Alibaba starts selling a “diagnostic tool” that “smoothes” the CANBUS signals so that the dongle never exceeds 57MPH or some grandmotherly level of acceleration. A strong hint of this happening would be a large increase in the number of men under 25 with WRXs requesting the dongle….

    2. I agree they are bad thing.
      I think they also need to legislate that ECMs and body controllers have an air gap or at least a firewall that sanitizes the data between devices with web enabled features.
      Ie the engine can only send data one way to the entertainment center for diagnostics or a switch be in place to enable and disable the feature by physically cutting the connection.
      Hand brakes should always be purely mechanical as they’re your last back up braking system when the main fails I once avoided getting in a wreck with one when a brake line failed
      The head light controller to have no can bus connections at all it doesn’t need one.
      All it needs is some logic level inputs that tell the light to flash when the door is unlocked and a connection to switched power on the run position so it can know if the key is in the on position.
      Maybe push button start needs to at least be made an optional thing as when you have it you have only one layer of anti theft or the remote start also be isolated from other parts of the system and made to ignore remote commands once the car is started.
      Being able to shut down a car remotely is an accident waiting to happen.

    3. Here’s a better idea: legislation that outlaws car designs that allow vehicle functions to be *controlled* from this interface, instead of just monitoring and reporting on it. Kind of like putting in a home security system and then leaving the doors unlocked, you know?

    1. Actually hacking a vehicle would take ALOT of work and even then its highly doubtful they could do anything fun. Each manufacturer and even sometimes by model have different commands to control functions. There are Tech level scanners that can control functions such as Throttle body calibration, wipers, steering, head light, ect. High level controls even then are few and far between. About the most invasive thing you can do is force the transmission to shift or drop the spark on a certain cylinder. The device mentioned in the article is also missing some rather important pins needed to communicate back to the ECU.

        1. My car is getting a motor rebuilt because of this-a weak injector leaned out a cylinder bad enough to burn a valve, that caused a valve to hang, impact a piston and damage both heads and block. :(

          1. yep, it is all too common, certain engines just cannot take any amount of detonation and they’ll disintegrate, you can push a piston though the engine wall.

            sorry to hear about yours though.

            there are lots of other invasion things you can do, change temperature compensation tables, engines with VVTI etc you can play havoc with too, lots of cars don’t have any fail safes and if you alter the calibrations for sensors, it’d think everything was ok anyway.

      1. Well if you vehicle has cyber physical features such as auto braking or parking assist with steering there’s all sorts of bad things a hacker can do by hacking the body controller vs the ECM.
        Such as making the car slam on the brakes on the highway or make the steering wheel jerk to the side etc.
        It could in theory cause a pile up.
        I seen it demoed on a third generation Prius ironically the first and second are less susceptible though they had physical access to the can bus but any devices that links a wireless connection to the can bus in theory could enable someone to do the same remotely.

      2. Um, the article states that they were able to unlock doors. I’d say this is bad enough right there. I’d be far less worried about remote shutdown and things on that order, as most people that would make use of this would probably be just stealing the car when it was unoccupied.

    2. People hack vehicles all the time.
      It is called “chip-tuning” and tinkers with the motor’s settings.
      A friend recently got an OBD plug to enable the AUX input of the car’s radio and soldered a headphone socket to it.
      Obviously noone is using settings where you delay your breaks by x = groundspeed * 1ms, but you COULD.

    3. Paragraph 4, the team unlocked doors and messed with the instrument panel. It isn’t a giant leap to mess with engine timings or telling the speedometer to report the speed 10% lower.

      Remember all the hoopla a few years ago with Toyoda and their malfunctioning computers? If you can gain access to the dongle, you can cause the computer to “malfunction” whenever you want.

  3. Not remotely controlling anything. Overly sensationalized headline worthy of FOX News not worthy of HAD.

    you are not going to disable brakes via ODB-II or cause the car to start and run. the most you can do is screw with things in the dongle and reset service intervals. The CANBUS pins are not even connected on that dongle, and they dont need to be in those instances. You are not causing havoc without full canbus connection.

    1. There have been other reports on how to bridge the gap between separate I2C strains in the cars’ electronics.
      So even if lets say breaks and doorlocks have their own domains, at some point they overlap/touch and that is where you can enter.
      One research even described the wireless tyre pressure sensors as an attack-vector.

      Another report suggested that it is possible to manipulate the main unit’s firmware in a way so that when the car hits lets say 200km/h the front left break would set in while tilting the wheels or any other horrible scenario.
      And while the car is still spinning through the air the µC resets and deletes all the logs plus reinstalls the original firmware.
      Of cause that is a VERY specific attack, but it is not impossible and how many firmware updates do 2004 cars get these days?

        1. Can you prove that there’s not a car out there where you can’t abuse the K-line bus to get access to the CAN bus? Or that there’s no way to do bad things directly through the K-line bus?

    2. Every time someone calls it ODB-II, RZA cries a little.

      Just because these dongles only use the K-line pins doesn’t mean that they can’t do any damage. Every car must have some device that acts as a gateway between K-line and CAN so that faults can be managed. Even without CAN access, there are a lot of aftermarket ECU firmware developers who make a living picking apart the firmware. It’s within the public’s reach to find an exploit in the ECUs of a wide range of make/model combos and use one of these “innocuous” dongles to do nasty things.

      BSG-reboot rules apply here: the only way to make any computer secure is with an air gap.

      1. That’s pretty much true though it can be reduced by using efficient and compact code that presents a smaller foot print to a hacker.
        The larger the foot print ie code base the more likely there will be a flaw that can be exploited.
        But still some stuff such as ECMs should always have an air gap with the internet and cellular communications.

  4. Moin,

    Note that auto security generally is worse than you’d think (also to @timgray1 above who thinks you can’t do anything on the CAN). There was an extremely cool pair of publications back in 2010/2011 at http://www.autosec.org/publications.html I strongly recommend to read these. What they essentially did is get a team of students together and have fun with cars. You can actually feel the fun when you read between the lines of the somewhat dry academic-y papers (for example there’s one instance where they encountered a rather alien processor architecture and just went ahead and wrote an IDA plugin for it).

    One paper looks at the external attack surfaces and the other at what you can do once you have (any) CAN bus access. On the attack surface front there are such great Rube-Goldberg devices as a WMA file that will play normally on a PC but take over the car stereo when burned to a CD (and from the car stereo you can then hop onto other systems), or just calling an OnStar enabled car and playing a specially prepared audio tape (as in: literally holding a cassette player’s speaker next to the microphone of a normal phone handset).


    Henryk Plötz
    Grüße aus Berlin

  5. Let’s see….. Unsecured dongles that can plug into the OBD2 port on cars, connect to a cellular network, and don’t encrypt or authenticate their firmware or the connection (it appears), could be setup to control or track a vehicle without an owner knowing…. Law enforcement has this new ‘Stingray’ tool that fakes a cellular site…. anyone seeing what I’m seeing here?

      1. The article talks about two OBDII dongles that drivers *willingly* install in their car (but for obviously other reasons). You don’t need to break in if the driver does the work for you.

  6. I understand that a specific attack for a specific car is not necessarily trivial to set up, but the fact that the attack vector is opened up on so many different vehicles because of problems in the OBD standard is very significant in itself. Sure, it might be a few years before we see script kiddies setting this stuff up en-masse, but in the meantime a specifically targeted attack would only take one dedicated and creative individual with a small budget.

  7. https://www.youtube.com/watch?v=3jstaBeXgAs

    From his laptop, he was able to manipulate the car’s engine, brakes and security systems by wirelessly tapping into the Controller Area Network, or CAN bus, network … by implementing some off-the-shelf chips, a third party telematic control unit, a GSM-powered wireless transmitter/receiver setup, and a significant amount of know-how he’s accrued over the years.

    I recall another similar video where someone was challenged to do something similar in a weekend and he was also able to take over some key functions.

      1. Ever heard of ‘Social Engineering’ attacks, particularly the variety where they leave a thumbdrive loaded with malware sitting around, and some clueless user picks it up and sticks it in their computer (and if they’re that dumb, they probably have Auto-Run enabled too!)….no need to break in if they happily open the door and bring you inside.

    1. I’m going to be honest there is a horrid design in many cars today.
      Some stuff should not be controlled by a computer such as the hand brake,gear selector, and head lights.
      It should not be possible for the ABS to fully lock out the brakes either.

  8. people who note that you have to get into the car to install the dongle aren’t completely correct some cars have an auxiliary access port for diagnostics at the factory/dealer which might be in the wheel well or in an engine bay. also you can often get to the harness of the car without opening the doors and tech manuals describing all the locations and wire colours are easily available.

  9. People keep reporting this shit & it just makes it harder for the rest us to use an off the shelf product to do the same things. For those of us that WANT an easy way to hack up our vehicles for testing, reporting it doesn’t make it any better or easier. I also find it really depressing that they had to “discover” that the diagnostic port was serial. Uh, seriously?

Leave a Reply to geonomadCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.