The Bosch Drivelog Connector, an OBD2 dongle designed for vehicle diagnostics and connectivity, has been identified as having certain security vulnerabilities. This article provides an overview of these vulnerabilities and the steps Bosch has taken to mitigate them, ensuring users are informed about the security aspects of using OBD2 dongles in their vehicles.
Understanding the Vulnerabilities in Bosch Drivelog OBD2 Dongles
Security researchers at Argus Cyber Security discovered two potential weaknesses in the Bosch Drivelog Connector and its associated smartphone application. These issues, while requiring physical proximity for exploitation, highlight important security considerations for connected car devices.
Bluetooth Pairing Weakness
The first vulnerability concerns the Bluetooth pairing process between the Bosch Obd2 Dongle and the smartphone app. The initial “Just Works” pairing mechanism was found to be susceptible to brute-force attacks. An attacker within Bluetooth range could potentially attempt to guess the PIN and gain unauthorized access to the dongle. Successful pairing could then allow for further malicious actions.
CAN Bus Command Injection via Malicious App
The second issue identified is related to the potential for malicious manipulation of the mobile application. If a user were to install a compromised or maliciously modified version of the Drivelog Connect app (not obtained from official sources like Bosch), this app could potentially be used to send unauthorized CAN (Controller Area Network) messages to the vehicle through the OBD2 dongle. This could, in theory, lead to unintended or malicious commands being executed within the vehicle’s systems.
Bosch’s Proactive Security Measures and Solutions
Bosch has responded proactively to these identified vulnerabilities and implemented solutions to enhance the security of the Drivelog Connect system. It’s important to note that Bosch emphasizes the limited scalability of potential attacks, as they require close physical proximity to the OBD2 dongle.
Enhanced Authentication and Two-Step Verification
To address the Bluetooth pairing vulnerability, Bosch has implemented a server-side mitigation involving a two-step verification process for registering additional users to a device. This measure adds an extra layer of security to the authentication process without requiring immediate user action. Furthermore, Bosch has announced that application and dongle firmware updates will be released to further strengthen the authentication process and overall security.
Firmware Updates to Restrict CAN Bus Commands
Regarding the risk of malicious CAN bus commands, Bosch is developing a firmware update for the OBD2 dongle. This update will further restrict the range of commands that the dongle is authorized to transmit onto the vehicle’s CAN bus. This measure will limit the potential impact of a maliciously modified mobile application, even in the unlikely event of a user installing one.
Staying Secure with Your Bosch OBD2 Dongle
The vulnerabilities identified in the Bosch Drivelog Connector highlight the importance of security in connected vehicle technology. Bosch’s response demonstrates a commitment to addressing these concerns and enhancing the security of their products. For users of Bosch OBD2 dongles, it is crucial to:
- Only download the official Drivelog Connect application from trusted app stores. Avoid sideloading apps from unofficial sources, as these could be compromised versions.
- Keep your Drivelog Connect application and dongle firmware updated when updates become available. These updates will include the latest security enhancements.
By staying informed and taking these precautions, users can continue to benefit from the connectivity features of Bosch OBD2 dongles while minimizing potential security risks. Bosch’s transparent approach to addressing these vulnerabilities underscores the ongoing efforts within the automotive industry to ensure the security of connected vehicles.
