Argus Cyber Security found security gaps in the Bosch Drivelog Connector Dongle and in its authentication Process with The Drivelog Connect Application and promptly informed Bosch, who took immediate action to address the vulnerabilities.
The Argus research group succeeded in remotely taking over safety-critical vehicle systems via a Bosch Drivelog Connector dongle installed in the vehicle. A vulnerability found in the authentication process between the dongle and the Drivelog Connect smartphone application enabled Argus researchers to uncover the security code within minutes and communicate with the dongle from a standard Bluetooth device, such as a smartphone or laptop.
After gaining access to the communications channel, Argus researchers were able to duplicate the message command structure and inject malicious messages into the in-vehicle network. Effectively bypassing the secure message filter that was designed to allow only specific messages, these vulnerabilities enabled the Argus research group to take control of a moving car, demonstrated through remotely stopping the engine.
A full technical account of the attack is posted on Argus’ blog that states:-
“The information leak allowed us to quickly brute-force the secret PIN offline and connect to the dongle via Bluetooth. Once connected to the dongle, security holes in the message filter of the dongle enabled us to inject malicious messages into the vehicle CAN bus.
In our research, we were able to turn off the engine of a moving car while within Bluetooth range. As troubling as that is, in a more general sense, since we can use the dongle to inject malicious messages into the CAN bus, we may have been able to manipulate other ECUs on the network. If an attacker were to implement this attack method in the wild, we estimate that he could cause physical effects on most vehicles on the road today.”
Only a short time after being notified Bosch has already implemented an initial fix. It is important to note that scalability of a potential malicious attack is limited by the fact that such an attack requires physical proximity to the dongle. This means that the attacking device needs to be within Bluetooth range of the vehicle. Furthermore, an initial attack requires brute forcing the PIN for a given dongle and sending a malicious CAN message that fits the constraints of the dongle and the vehicle.
Thorsten Kuhles, head of the Bosch Product Security Incident Response Team (PSIRT) said, “To further increase security a patch that fixes the underlying weaknesses in the encryption protocol will be available shortly. This patch will prevent the kind of attack as described by Argus.”
For more information please refer to the Bosch Security Advisory.